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With  Microsoft,  you  get  a  consistent  cloud  platform  across  your  on-premises  environment,  Windows  Azure, 
and  your  service  provider.  Windows  Server  2012  and  System  Center  2012  deliver  a  comprehensive 
set  of  tools  to  provision  and  centrally  manage  infrastructure  and  applications  across  clouds.  VMware 
keeps  you  guessing  with  a  public  cloud  strategy  that's  still  in  development  and  virtualization-centric 
management  tools.  Will  you  bet  on  cloud  consistency  or  cloud  confusion? 

SEE  MORE  REASONS  TO  SWITCH  AT 

MICROSOFT.COM/VERSUS 
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ective  on 
IPtraffic  growth 


IT  professionals,  perhaps  more  than  anyone,  have  a 
sense  of  just  how  fast  things  are  changing  in  this  informa¬ 
tion-driven  world.  But  Cisco’s  latest  Visual  Networking 
Index,  an  ongoing  study  of  global  IP 
traffic,  adds  perspective  that  may  influ¬ 
ence  some  of  your  thinking  when  it 
comes  to  long-range  capacity  planning. 

Cisco  says  “global  IP  traffic  will  pass  the  zettabyte  thresh¬ 
old  [a  zettabyte  is  a  billion  terabytes]  by  the  end  of  2015,  and 
will  reach  1.4  zettabytes  per  year  by  2017”  (see  tinyurl.com/ 
lpojmj).  That  by  itself  is  remarkable,  but  even  more  so  when 
viewed  in  historical  context.  Cisco  offers  the  chart  below. 

Said  another  way:  IP  traffic  jumped  more  than  fivefold  in  the  last  five  years  and  is 
expected  to  keep  ramping  up  at  a  23%  compound  annual  growth  rate  to  2017. 

Of  all  IP  traffic,  consumer  loads  account  for  the  bulk,  some  82%,  Cisco  says, 
although  business  IP  traffic  is  growing  at  close  to  the  same  rate,  ratcheting  up  21% 

per  year  for  the  same  period. 

As  of  last  year  74%  of  IP  traffic  still  origi¬ 
nated  from  PCs,  but  that  is  expected  to 
drop  to  49%  by  2017  as  traffic  from  devices 
such  as  tablets  and  smartphones  sky¬ 
rockets  (at  104%  and  79%  growth  rates, 
respectively).  That  is,  of  course,  why  com¬ 
panies  are  scrambling  to  embrace  BYOD 
and  accounts  for  the  spiraling  demands 
on  corporate  Wi-Fi  networks.  Regarding 
the  latter,  Cisco  predicts  that  “traffic  from 
wireless  and  mobile  devices  will  exceed 
traffic  from  wired  devices  by  2016.” 

In  2012  there  were  about  two  networked 
IP  devices  for  every  person  on  the  planet, 
and  by  2017  that  number  will  approach 
three  devices  per  person. 

“Globally,  mobile  data  traffic  will 
increase  thirteenfold  between  2012  and 
2017,”  Cisco  predicts.  That’s  a  compound 
annual  growth  rate  of  66%,  three  times 
the  rate  of  fixed  IP  traffic.  By  2017,  more  than  11  exabytes  of  mobile  traffic  will  be 
traversing  the  airwaves  per  month  (an  exabyte  being  a  billion  gigabytes). 

Regarding  video  uptake,  Cisco  says  “global  IP  video  traffic  will  be  73%  of  all  IP 
traffic  (both  business  and  consumer)  by  2017,  up  from  60%  in  2012.” 

Hopefully  your  plans  account  for  this  dramatic  growth.  If  not,  time  to  get  back  to 
the  drawing  board. 


Year  Global  Internet  Traffic 
1992  100  gigabytes  per  day 
1997  100  gigabytes  per  hour 
2002  100  gigabytes  per  second 
2007  2,000  gigabytes  per  second 
2012  12,000  gigabytes  per  second 
2017  35,000  gigabytes  per  second 
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PC  market's  unreliable  hardware 

©THE  ISSUE  HERE  is  that  computers  are 
so  fast  now,  that  micro-changes  are  not 
enough.  It  used  to  be  that  CPU  speeds 
were  doubled  every  18  months.  Now  per¬ 
formance  gains  are  coming  from  faster 
memory,  SSD  drives,  faster  networking, 
and  performance  improvements  in  Win¬ 
dows,  enabling  less-powerful  machines 
to  run  Windows.  There  isn’t  a  need  to 
upgrade  your  computer  every  one  to  two 
years  anymore  (Re:  “IDC:  PC  sales  being 
crippled  by  tablets;  Windows  8  part  of  the 
problem”;  tinyurl.com/n6xkexy). 

I,  as  well  as  many  friends  and  col¬ 
leagues,  are  fed  up  with  the  security  holes, 
malware,  slow  release  schedules,  poor 
performance  and  memory  bloat  of  Win¬ 
dows.  There  are  better  solutions  that  may 
cost  a  little  more,  but  last  a  lot  longer,  are 
better-performing  and  are  more  secure. 

Armand  Welsh 

Reliable  Linkedln  endorsements 

©  BOTTOM  LINE:  YOU  can’t  trust  endorse¬ 
ments,  because  they  are  too  easily  and 
readily  dispensed  (Re:  “Lawyer  questions 
legal  ethics  of  Linkedln  endorsements”; 
tinyurl.com/kjljp8g). 

On  reading  this  article  I  hid  the  endorse¬ 
ment  from  friends  and  other  contacts  who 
can’t  know  whether 
their  opinions  are  valid 
—  that  way  I  can  tell  peo¬ 
ple  that  they  can  contact 
any  of  those  remaining 
as  a  reference. 

As  a  result  I  only 
have  a  few  endorse¬ 
ments  —  but  those  are 
reliable. 

Near  Genius 

Too  many  devices 
spoil  productivity 

©TOO  MUCH  TECH 

poorly  used  is  counter-productive.  When 
five  devices  are  clamoring  for  our  atten¬ 
tion,  focus  is  fractured  and  the  time  spent 
shuffling  devices  affects  actual  produc¬ 
tion.  Not  to  mention  being  on  profes¬ 
sional  and  social  networks  during  work 
hours  (Re:  “Rude  and  overworked?  Blame 
tech”;  tinyurl.com/n7avgct). 

Ask  yourself  this:  Would  you  want 
your  surgeon  taking  iPhone  calls  in  the 
middle  of  a  procedure  on  you? 

johnkies 


Internet  sales  tax:  Another  view 

©  I  HAVE  TO  disagree  with  your  editorial 
in  the  May  6  edition  (Re:  “Time  is  now  for 
Internet  retail  tax”;  tinyurl.com/kzrvpgn). 

Yes  $23  billion  is  a  huge  potential  tax 
windfall.  The  biggest  problem  I  see  with 
it,  however,  is  that  this  windfall  will 
not  go  to  help  local  retailers.  Instead,  it 
will  go  to  the  same  group  of  financial 
“wizards”  that  spent  the  vault  bare  dur¬ 
ing  boom  times,  and  couldn’t  figure  out 
that  the  party  was  over  and  tax  income 
was  drying  up  until  every  state,  county 
and  municipality  was  nearly  bankrupt. 
Neither  can  they  figure  out  a  way  to 
make  it  “fair”  for  local  brick-and-mortar 
merchants  without  requiring  more  taxes 
from  somewhere  else. 

And  Network  World  sees  the  best  way  of 
rewarding  fiscal  irresponsibility  at  all 
levels  as  “give  them  more  money”?  Nope. 
Stop  this  bad  bill  before  it  gets  anywhere 
and  cut  off  the  money  supply  from  politi¬ 
cians  and  elected  officials  who  don’t  get 
that  austerity  begins  in  government.  If 
fairness  is  the  goal,  then  make  it  fair  for 
the  local  retailer  on  the  basis  of  level 
playing  field,  and  not  by  burdening  the 
Internet  retailer  with  a  tax  that  will  do 
little  more  than  fill  the  coffers  until  it  can 
be  all  spent . . .  leaving  the  politician  with 
his  or  her  handout 
demanding  more. 

Too_Old_For_IT 

The  hidden  costs 
of  using  Xbox  One 

©I  UNDERSTAND  THAT 

the  Xbox  One  wants  to 
appeal  to  a  new  wave 
of  consumers,  which  is 
fine,  but  as  I  under¬ 
stand,  we  will  have  to 
pay  Microsoft  to  access 
those  services  (Netflix, 
Hulu,  Internet,  etc.)  on 
the  console,  while  already  paying  for  our 
monthly  subscriptions  that  we  can  watch 
for  free  on  other  devices  (Re:  “Why  Xbox 
One  gaming  has  been  an  afterthought”; 
tinyurl.com/mmv75ho). 

I  don’t  mind  that  it’s  going  to  be  a 
‘complete”  entertainment  system;  I  do 
mind  paying  Microsoft  extra  for  the 
privilege  to  use  it.  In  an  economy  where 
people  are  feeling  the  pinch,  I  think  it’s 
going  to  be  a  tough  sell. 

Rich  Carrillo 


Would  you  want 
your  surgeon 
taking  iPhone 
calls  in  the 
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OUR  VISIONARY  CLOUD 
INFRASTRUCTURE  HELPS 
YOUR  BUSINESS  SHINE. 

With  CenturyLink  as  your  trusted  technology  partner,  your  business  can  shine  every  day.  We  are  a 
visionary  cloud  provider  and  leader  in  hosted  IT  solutions,  with  data  centers  around  the  world.  We  also 
provide  you  with  a  global  broadband  network.  And  our  dedicated,  responsive  support  is  designed  to  free 
you  to  focus  on  innovation  and  growth. 


centurylink.com/link 
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Rude  and  overworked? 
Blame  tech 

IT  EXECS  SAY  employees  are  getting  ruder  on  the  job,  and 
they’re  blaming  mobile  technology  for  the  rise  in  bad  man¬ 
ners.  IT  staffing  specialist  Robert  Half  Technology  (RHT)  asked 
2,300  CIOs  what  effect  the  increased  use  of  mobile  electronic 
gadgets  has  had  on  workplace  etiquette,  and  64%  said 
etiquette  breaches  have  increased.  Meanwhile,  a  majority  of  IT 
executives  today  find  themselves  working  outside  of  traditional 
business  hours  -  a  practice  enabled  by  the  proliferation  of 
mobile  devices.  Polled  by  RHT,  73%  of  CIOs  said  they  check  in 
with  work  “often"  or  “somewhat  often”  on  evenings  and  week¬ 
ends.  tinyurl.com/n7avgct 

iimiimiiiiiiiiiiiiiiimiiimiiiiimiiiimiiiiiiimmiiiii 


A  new  Start 
for  Win  8.1 

MICROSOFT  CUSTOMERS 

clamoring  for  a  Start  but¬ 
ton  and  menu  in  Windows  8 
will  get  their  wish  partially 
fulfilled  in  the  upcoming  OS 
update.  Windows  8.1  will  not 
have  a  Start  menu,  but  it  will 
have  something  very  close  to 
a  Start  button  that  will  trigger 
several  key  Start  menu-like 
features.  Some  of  the  early 
complaints  about  Windows 
8  focused  on  the  fact  that  it 
has  two  user  interfaces:  the 
radically  redesigned  “Modern” 
one  based  on  tile  icons  and 


optimized  for  touch  screen 
devices,  and  a  traditional  one 
similar  to  Windows  7’s  for 
running  legacy  applications 
that  nonetheless  lacks  the  Start 
button  and  menu.  Critics  say 
the  Modern  UI  requires  a  steep 
learning  curve  for  the  average 
user,  and  toggling  between  the 
two  interfaces  is  awkward.  But 
Windows  8.1  adds  a  Start-like 
button,  as  well  as  the  possibil¬ 
ity  to  view  all  the  applications 
on  the  device  and  sort  them  by 
name,  date  installed,  most  used 
or  category.  The  OS  update  also 
will  allow  users  to  boot  directly 
to  the  traditional  desktop  inter¬ 
face.  tinyurl.com/kevsujz 


The  cloud  goes  global 

Cloud  computing  providers  are  increasing 
their  international  footprints  around  the  globe. 
Here  are  some  of  the  expansions  that  have  been 
announced  in  the  last  half-year: 


Amazon  Web  Services:  Launched  Australian  data  center  in  Sydney  in  November, 

expanded  CloudFront  content  delivery  network  (CDN)  to  Spain  and  South  Korea 


EMC  Announced  cloud  portfolio  in  conjunction  with  Capgemini  in  Brazil 

Google:  Announced  expansion  plans  for  South  Carolina  and  Iowa  data  centers  in  the  U 
while  expanding  or  building  new  data  centers  in  Finland,  Chile,  Singapore  and  Taiwan 

IBM:  Announced  expansions  in  both  Germany  and  Mexico  recently 

Backspace:  Announced  data  center  expansion  plans  in  London  and  opened  its  first 
Australian  data  center  in  February.  It  also  created  a  new  partner  network,  to  develop 
service  providers  in  South  America,  Asia  and  Eastern  Europe 

Sawis:  85,000  square  foot  expansion  of  data  center  space  in  North  America,  Europe 
and  Asia,  including  new  operations  in  London  and  Hong  Kong 

Verizon  Terremark:  Recently  expanded  data  center  footprints  in  Dallas, 

London  and  Australia 

SOURCE:  TECHNOLOGY  BUSINESS  RESEARCH 


The  global  cloud 

AS  COMPETITION  in  cloud 
computing  intensifies,  some  of 
the  biggest  players  are  looking 
beyond  their  domestic  borders. 
Most  recently  Sawis  added 
85,000  square  feet  of  data  cen¬ 
ter  space,  including  centers  in 
London  and  Hong  Kong.  Micro¬ 
soft  announced  last  month  the 
expansion  of  its  services  across 
Japan,  and  in  recent  months 
Amazon  Web  Services,  Rack- 
space,  Google,  IBM  and  others 
announced  data  center  expan¬ 
sions  in  emerging  international 
markets.  “Now  that  public 
cloud  computing  is  maturing, 
customers  are  seeking  cloud  on 
a  more  global  level  and  vendors 
are  looking  to  monetize  this 
demand,”  says  Jillian  Mirandi, 
an  analyst  at  Technology 
Business  Research.  Reasons 
for  international  expansion 
include:  country-specific  data 
privacy  laws  that  require 
certain  types  of  information  to 


be  given  safe  harbor  within  a 
country’s  domestic  borders;  and 
overseas  companies’  reluctance 
to  store  sensitive  information 
in  the  U.S.  due  to  government 
surveillance  concerns,  tinyurl. 
com/ldkhuvs 

AWS  ties  logins  to 
Google,  Facebook 

USING  A  new  API  announced 
by  Amazon  Web  Services, 
developers  can  use  Amazon, 
com,  Facebook,  or  Google’s  sign- 
in  systems  for  their  cloud-based 
apps.  Amazon  calls  the  concept 
web  identity  federation,  and 
the  new  AWS  Security  Token 
Service  (STS)  API  simplifies 
the  development  process  by 
letting  users  integrate  web- 
based  sign-in  platforms  with 
their  apps  without  having  to 
write  any  server-side  code. 

The  API—  which  is  called 
AssumeRoleWithWebldentity 
—  requests  temporary  security 
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credentials  for  users  that  have 
been  authenticated  using  one  of 
the  three  public  identity  provid¬ 
ers.  An  app  can  then  use  the 
temporary  credentials  to  access 
AWS  resources,  such  as  Simple 
Storage  Service  (S3)  objects, 
DynamoDB  tables,  or  Simple 
Queue  Service  queues. 
tinyurl.com/ku23ra4 

Cisco  pockets 
JouleX 

CISCO  IS  acquiring  privately 
held  JouleX,  a  developer  of  enter¬ 
prise  IT  energy  management 
tools,  for  $107  million  in  cash. 
JouleX,  based  in  Atlanta,  pro¬ 
vides  software  for  enterprise  and 
data  center  energy  management, 
analytics,  policy  governance  and 
compliance.  Cisco  says  JouleX’s 
cloud-enabled  software  will 


Visit  the  Japan 
Tech  Hall  of  Fame 

Tike;  ;i  tour  of  Japan’s  great¬ 
est  tuts  in  technology  in 
this  new  Osaka  exhibition, 
including  the  Walkman  and 
Aibo  robot  dog. 
tinyurl.com/mhor75x 


complement  its  own  Ener¬ 
gy  Wise  energy  management 
products  and  provide  customers 
with  a  way  to  manage  energy 
usage  without  the  use  of  device¬ 
side  agents,  hardware  meters  or 
network  configurations. 
tinyurl.com/lgaruqu 

BYOD  dampens 
corporate  PC 
buying 

COMPANIES' BRING-YOUR- 
OWN-DEVICE  (BYOD) 
policies  are  affecting  how  many 
traditional  PCs  enterprises 
purchase  and  contributing  to  a 
global  sales  slump,  according  to 
IDC.  About  25%  of  employees 
in  businesses  with  more  than 
10  workers  have  bought  the 
primary  PC  they  use  for  work, 
which  is  a  large  enough  slice  to 
meaningfully  reduce  corporate 
buying.  “[Employee-purchased] 
PCs  are  significantly  higher  in 
number  than  we  thought.  We 
believed  it  was  just  5%  to  10%, 
but  it’s  more  than  double  that,” 
said  analyst  Bob  O’Donnell.  IDC 
forecasts  that  PC  shipments 
will  contract  7.8%  this  year 
compared  to  2012,  followed  by 
a  smaller  slump  of  1.2%  in  2014. 
If  IDC’s  prognostication  is  on 
target,  the  2012-2013  stretch 
would  be  the  first  time  PC  ship¬ 
ments  will  have  declined  for 
two  consecutive  calendar  years 
since  the  research  firm  started 
tracking  the  market  in  1994. 
tlnyurl.com/mfazm63 
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Faster  than  a  speeding 
Google  Fiber... 

A  RESEARCH  team  led  by  Bell  Labs’  Xiang  Liu  has 
published  an  article  in  Nature  Photonics  describing  a 
way  to  send  and  receive  information  at  400Gbps  across 
12,800km  of  optical  fiber  -  an  enormous  potential  gain 
of  both  speed  and  effective  distance  compared  to  current 
technology.  Liu  tells  us  that  the  idea,  likened  by  the  BBC 
to  the  wave-canceling  technology  used  in  headphones  that 
block  outside  noise,  is  actually  simpler  than  that. 


PayPal  no  friend  of 
teen  bug  finder 


A  17-YEAR-OLD  German  student  contends  PayPal  has 
denied  him  a  reward  for  finding  a  vulnerability  in  its  web¬ 
site.  Robert  Kugler  said  he  notified  PayPal  of  the  vulner¬ 
ability  on  May  19.  He  said  he  was  informed  by  email  that 
because  he  is  younger  than  18  years  old,  he  did  not  qualify 
for  its  Bug  Bounty  Program.  He  will  turn  18  next  March. 
PayPal,  which  is  owned  by  auction  site  eBay,  outlines  the 
terms  and  conditions  for  its  Bug  Bounty  Program  on 
wh  its  website,  but  does  not  appear  to  have  an  age  guide¬ 
line.  PayPal  officials  did  not  have  an  immediate  com¬ 
ment.  Many  companies  such  as  Google  and  Facebook 
have  reward  programs  intended  to  create  an  incentive  for 
researchers  to  privately  report  issues  and  allow  vendors  to 
release  fixes  before  hackers  take  advantage  of  flaws. 


Galaxy  S3 

allegedly 

explodes 


SAMSUNG,  COMING  off  a 

glitzy  New  York  City  extrav¬ 
aganza/horror  show  to 
introduce  its  Galaxy  S4 
Android  smartphone, 
apparently  set  off 
some  real  fireworks  at 
the  home  of  one  of  its 
Galaxy  S3  customers.  He 
posted  to  Reddit  about  his 
S3  exploding  in  the  middle 
of  the  night  and  burning  his 
pillow  and  bedsheets  and 
provided  graphic  photos. 

The  customer  is  reportedly  working  with  Samsung  to  help 
them  investigate  the  matter,  and  he  hopes,  replace  his 
phone  and  bedroom  items. 
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Microsoft  revamps  via  ‘cloud-first  engineering’ 

At  TechEd:  Windows  Server,  SQL  Server,  others  get  second  major  refresh  in  a  year 


BYTIM  GREENE 


MICROSOFT  TODAY  is  showing  off 
improvements  to  most  of  its  enterprise  infra¬ 
structure  software  designed  to  make  it  sim¬ 
pler  for  businesses  to  deploy  hybrid  cloud 
services  that  can  allocate  resources  as  needed. 

The  announcements  at  its  annual 
TechEd  North  America  conference 
come  about  a  year  after  the  company 
delivered  a  major  overhaul  of  the 
same  platforms  -  Windows  Server, 

SQL  Server,  Visual  Studio  and  Sys¬ 
tem  Center  as  well  as  new  features  in 
its  Azure  cloud  service  and  InTune 
PC-  and  device-management  service. 

This  is  a  new  accelerated  pace  the 
company  is  adopting  for  updates  and 
upgrades  to  its  software  offerings, 
driven  by  its  experience  developing  features 
and  management  tools  it  needs  to  run  Azure, 
says  Brad  Anderson,  Microsoft  vice  president 
of  Windows  Server  and  System  Center.  He 
calls  this  cloud-first  engineering. 

“We  are  literally  refreshing  every  one  of 
the  on-premises  infrastructure  products 
from  Microsoft,”  says  Anderson,  who  will  be 
detailing  the  new  features  at  the  conference 
in  New  Orleans. 

These  include  Microsoft’s  much  touted 
Hekaton  technology  which  can  speed  up  the 
transaction-processing  time  of  SQL  server 
transactions  and  improved  deduplication 
that  can  reduce  the  storage  footprint  of  data 
in  Windows  Server  more  than  90%,  he  says. 

Upgrades  to  Visual  Studio  include  tools 
for  IT  staff  to  create  virtual  machines  of 
application  servers  that  are  glitchy  and  ship 
them  to  developers  where  they  can  be  fixed 
offline,  he  says. 

Many  of  the  new  features  were  proved  first 
in  Azure  and  are  now  being  pushed  into  on¬ 
premises  products,  he  says. 

All  the  new  versions  will  be  available  for 
preview  later  in  June  via  download  from 
Microsoft  sites  and  all  except  SQL  Server  will 
ship  by  year-end. 

The  company  will  be  releasing  Windows 
Azure  Pack,  which  lays  the  Azure  Web  por¬ 
tal  to  Windows  Server  and  System  Center  on¬ 
premises  products. 

Anderson  will  also  describe  some  of  the 
new  features  coming  with  Windows  8.1,  the 
first  major  upgrade  to  the  new  desktop  oper¬ 
ating  system.  Here’s  more  about  what  Micro¬ 
soft  has  in  store  at  TechEd: 

Windows  Server  2012  R2:  Windows 


Server  has  advances  in  software-defined 
networking  that  include  partner  announce¬ 
ments  about  extending  and  enhancing  Hyper- 
V  network  virtualization.  This  includes  a 
site-to-site  VPN  gateway  that  automatically 
creates  secure  links  between  data  centers  and 
assets  in  service  provider  networks. 


A  A  We  are  literally 
■■  refreshing  every 
one  of  the  on-premises 
infrastructure  products 
from  Microsoft. 

BRAD  ANDERSON,  MICROSOFT  VP  OF 
WINDOWS  SERVER  AND  SYSTEM  CENTER 


Through  software,  storage  can  now 
be  accommodated  on  commodity  server 
hardware  rather  than  dedicated  SAN 
infrastructure. 

Windows  Server  can  also  deduplicate  data, 
consolidating  repetitive  strings  so  the  data 
occupies  less  space.  He  says  a  demonstration 
will  show  how  the  data  footprint  for  a  virtual 
desktop  infrastructure  deployment  can  be 
reduced  95%. 

Hyper-V  virtualization  within  Windows 
Server  can  replicate  copies  of  data  to  service 
provider  data  centers  and  then  enable  further 
replication  by  the  providers  for  purposes  of 
disaster  recovery. 

A  new  hybrid  cloud  feature  enables 
stretching  corporate  computing  resources 
into  a  public  cloud  by  moving  Web  servers 
into  a  public  cloud  while  retaining  their  old 
IP  addresses  and  leaving  the  data  tier  back  in 
the  corporate  data  center. 

The  new  version  of  the  server  simplifies 
setting  up  Active  Directory  Federated  Ser¬ 
vices,  which  enables  single  sign-on  to  related 
Web  applications  during  a  single  online  ses¬ 
sion,  essentially  extending  Active  Directory 
to  Azure. 

A  feature  called  Windows  Server  Work 
Folders  enables  replicating  data  from  local 
hard  drives  to  a  data  center,  then  re-replicat- 
ing  it  out  to  other  devices. 

SQL  Server  2014:  The  latest  version  will 
include  Hekaton,  the  Microsoft  code  name 
for  its  new  in-memory  processing  for  appli¬ 
cations  in  the  database  that  the  company  says 
can  improve  the  number  of  transactions  per 
second.  Customers  will  attest  to  increases  of 
15  times  on  the  same  hardware,  Anderson 


says.  There  will  be  a  demonstration  of  this 
from  a  business  intelligence  perspective. 

SQL  Server  has  the  ability  to  do  backup  and 
disaster  recovery  to  Azure. 

System  Center:  This  server  will  have 
the  same  portal  that  Azure  had  that  is  being 
enabled  by  Azure  Pack.  This  could  be  used 
with  System  Center,  for  example,  to 
enable  end  users  in  a  department  to 
create  new  virtual  machines  within 
cloud  infrastructure  based  on  poli¬ 
cies  set  up  by  IT.  “It’s  self-service, 
exactly  as  if  you  were  to  go  to  Azure,” 
Anderson  says. 

Visual  Studio  2013:  This  software 
development  platform  can  be  tied  in  to 
Azure  so  when  developers  are  ready 
to  test  whether  new  applications 
will  scale  up  they  can  create  virtual 
machines  within  Azure  on  which  to  run  the 
tests,  then  turn  off  the  virtual  machines  when 
testing  is  done. 

The  new  version  gives  individuals  visibil¬ 
ity  into  portions  of  the  code  other  develop¬ 
ment  team  members  are  working  on,  what 
tests  have  been  run  and  access  to  logs  that 
show  who  has  worked  on  what  blocks  of 
code.  They  can  also  chat  natively  within 
Visual  Studio  with  other  developers. 

Visual  Studio’s  connection  to  System 
Center  has  improved  the  time  to  resolu¬ 
tion  of  problems  that  are  found  with  apps 
in  production.  When  IT  encounters  such 
problems  it  can  snapshot  the  server  on  a  vir¬ 
tual  machine  that  the  developer  can  work  on 
offline,  find  a  fix  and  publish  it  to  IT  to  roll 
out  as  an  update. 

Azure:  Microsoft  is  revising  the  billing 
model  for  Azure  for  Virtual  Machines,  Web 
Roles  and  Worker  Roles  services  so  custom¬ 
ers  pay  per  minute  rather  than  per  hour, 
which  gives  customers  the  opportunity  to 
save  money  via  more  precise  charges. 

InTune:  This  service  for  PC  and  device 
management  and  protection  is  being 
expanded  to  do  a  degree  of  mobile  device 
management  for  Windows,  Apple  iOS  and 
Android  devices.  Support  for  Android  is  new. 

With  the  feature  Anderson  says  IT  could 
set  up  policies  for  the  devices  that  are  auto¬ 
matically  applied  when  devices  are  regis¬ 
tered  to  the  service  by  end  users.  The  end 
users  could  then  self-provision  the  applica¬ 
tions  they  need  to  get  their  jobs  done. 

A  demo  will  show  how  the  service  can  wipe 
corporate  data  off  a  worker’s  device  and  leave 
the  worker’s  data  intact.  ■ 
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HP  updates  tools,  services  for  app  modernization 

Today's  enterprise  developer  needs  a  different  skillset  than  one  required  in  years  past 


BYJQAB  JACKSON ,  IDG  NEWS  SERVICE 

HP  HAS  updated  a  number  of  its  software 
packages  and  services  to  help  developers  and 
IT  managers  modernize  their  applications  so 
they  will  better  fit  into  today’s  always  con¬ 
nected  environment. 

Enterprise  software  users  now  “interact 
with  consumer  apps  con¬ 
stantly,  and  those  expe¬ 
riences  are  shaping  the 
demands  on  the  enter¬ 
prise  applications  they 
use  as  well,”  says  Frank¬ 
lin  Grosvenor,  HP’s  vice 
president  for  enterprise 
mobility  and  social  busi¬ 
ness  services. 

In  a  recent  survey  con¬ 
ducted  on  behalf  of  HP, 
nearly  80%  of  corporate 
chief  marketing  officers 
expressed  frustration  in 
how  badly  designed  cus¬ 
tomer-facing  enterprise 
applications  were,  from  the 
perspective  of  the  users. 

Today’s  enterprise  soft¬ 
ware  developer  has  a  dif¬ 
ferent  set  of  requirements 
than  in  years  past,  Grosve¬ 
nor  explained. 

“Historically,  most  enterprise  application 
developers  start  with  a  set  of  features  and 
functions  they  have  to  deliver.  This  is  starting 
to  change,”  Grosvenor  says.  “Increasingly,  the 
demand  is  to  deliver  a  business  outcome  and 
a  desired  experience  to  the  user.  You  do  that 
through  orchestrating  features  and  functions 
in  a  way  that  is  compelling." 

To  this  end,  the  company  has  added  more 
user  interface  expertise  to  its  consulting 
practice.  The  HP  User  Experience  Design 
Services,  part  of  the  company’s  consulting 
service,  can  help  walk  organizations  through 
the  process  of  building  user-friendly  enter¬ 
prise  applications. 

“The  user  experience  transcends  the  data, 
or  the  user  interface.  It’s  not  the  font  size  or 
the  color  schemes  that  you  paint  over  top 
of  the  application.  It  is  how  the  user  moves 
through  an  application  in  a  way  that  is  intui¬ 
tive.  [Users]  shouldn’t  have  to  sit  through 
classroom  training  or  pour  through  online 
training  to  understand  what  to  do  next," 
Grosvenor  says. 

The  consulting  service  interviews  end 


users  —  either  customers  or  employees  —  to 
determine  their  needs,  as  well  as  works  to 
understand  the  client’s  business  process  and 
IT  infrastructure.  The  results  of  this  research, 
which  can  be  part  of  an  organization’s  appli¬ 
cation  modernization  project,  can  speed  the 
process  of  designing  an  appealing,  produc¬ 
tive  application,  Grosvenor  says. 


On  the  software  side,  the  company  has 
updated  a  number  of  its  applications  that 
address  both  development  and  operational 
performance  of  enterprise  applications. 

One  application  that  has  been  updated 
has  been  HP  Anywhere,  a  platform  that  pro¬ 
vides  a  way  to  write  a  mobile  application  that 
can  run  across  both  Apple  iOS  and  Google 
Android  devices.  Based  on  the  Apache  Cor¬ 
dova  framework,  HP  Anywhere  uses  open 
Web  technologies  such  as  HTML5  and 
JavaScript,  as  well  as  application  containers 
designed  to  work  with  specific  system  calls 
found  in  iOS  and  Android. 

The  update  to  HP  Anywhere,  version  10.01, 
adds  in  additional  security  tools  to  the  con¬ 
tainers  and  offers  a  new  API  that  third-party 
mobile  device  management  software  can  use 
to  gather  more  performance  information 
about  the  application. 

HP  also  updated  its  HP  Real  User  Moni¬ 
toring  (RUM)  software,  part  of  the  Appli¬ 
cation  Performance  Management  (APM) 
portfolio.  RUM  monitors  how  people  use 
the  applications  on  their  mobile  devices.  It 


collects  statistics  on  which  features  are  used, 
as  well  as  how  quickly  the  mobile  applica¬ 
tion  responds  to  user  commands. 

Version  9.22  software  of  RUM  is  the  first 
that  can  monitor  native  Android  applications. 
Previous  versions  could  only  monitor  Web 
applications  on  the  Android  platform. 

Also  in  the  portfolio  is  the  newly  updated 
HP  Performance  Any¬ 
where  APM  software. 
Version  1.1  of  the  software 
offers  predictive  analyt¬ 
ics  that  can  alert  adminis¬ 
trators  when  a  service  is 
degrading,  and  can  track 
performance  of  appli¬ 
cations  across  cellular 
networks. 

The  company  has  also 
released  a  collection  of 
software  development  kits 
(SDK),  demo  programs 
and  application  cook¬ 
books  —  under  the  name 
of  HP  Anywhere  Devel¬ 
oper  Zone  —  aimed  at 
helping  developers  design 
more  effective  enterprise 
mobile  applications. 

For  those  organizations 
interested  in  updating 
their  back-end  infrastruc¬ 
ture,  HP  has  released  a  set  of  reference  archi¬ 
tectures,  called  HP  Application  Integration 
to  Cloud,  for  developing  an  application  that 
can  run  on  private  or  public  clouds,  using 
middleware  from  Tibco  and  Red  Hat.  Such 
infrastructure  is  best  suited  for  high-perfor¬ 
mance  throughput  heterogenous  technol¬ 
ogy  systems  that  require  strict  service-level 
agreements,  says  Tom  Hall,  HP’s  worldwide 
cloud  services  marketing  manager. 

As  shipments  of  personal  computers  flag, 
financial  analysts  have  looked  to  the  enter¬ 
prise  mobile  market  as  one  area  that  could 
help  boost  HP’s  bottom  line.  ■ 


©  IT  Roadmap  Denver  is  where 
next-generation  enterprise  tech¬ 
nologies  that  defy  brick-and-mortar 
boundaries  will  be  revealed.  The  June 
6  event  is  free  to  attend,  pre-registra 
tion  is  required  tinyurl.com/n8wrr56 
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Network  builders  tackling  cell  vs.  Wi-Fi  choices 


BY  ST E P HE N  LAWSON.  I DG  NEWS  SERVICE 

MOBILE  USERS  can  probably  look  forward 
to  being  automatically  transferred  from  cel¬ 
lular  to  Wi-Fi  networks  in  the  near  future, 
but  going  back  and  forth  for  the  best  possible 
performance  is  another  matter. 

Software  now  in  the  works  will  use  real-time 
knowledge  about  network  conditions  to  make 
lightning-fast  decisions  about  the  best  system 
for  each  user  to  be  on  at  a  given  moment.  The 
idea  is  that  just  because  there’s  a  Wi-Fi  network 
nearby,  doesn’t  necessarily  mean  your  smart¬ 
phone  should  start  using  it.  If  every  subscriber 
near  that  hotspot  got  switched  over  to  it,  the 
Wi-Fi  experience  could  suffer. 

It’s  already  common  for  Wi-Fi  networks  in 
public  places  to  get  overloaded  at  busy  times. 
Automatic  handoffs  from  cellular  to  Wi-Fi, 
while  convenient,  won’t  make  that  situation 
any  better.  To  prevent  those  overloads,  net¬ 
works  will  need  more  management  smarts, 
said  Daryl  Schoolar,  an  analyst  at  Ovum. 

That’s  why  both  Ericsson  and  Nokia  Sie¬ 
mens  Networks  announced  technologies  at 
CTIA  Wireless  recently  for  so-called  real¬ 
time  traffic  steering.  But  the  collection  of  stan¬ 
dards  that  the  industry  is  currently  adopting 
for  easy  cell-to-Wi-Fi  handoffs  doesn’t  yet 
include  this  capability,  so  it  may  take  a  while 
for  carriers  to  make  it  available. 

Mobile  operators  increasingly  are  giving 
their  subscribers  access  to  Wi-Fi,  both  by 
deploying  hotspots  and  by  partnering  with 
other  providers.  This  can  give  the  carriers 
extra  capacity,  without  paying  for  another 


spectrum  license,  in  areas  where  many  people 
gather  and  use  mobile  devices.  For  subscrib¬ 
ers,  it  can  mean  faster  network  connections, 
depending  on  the  cellular  coverage  in  the  area. 

Emerging  technologies  can  authenticate 
users  and  put  them  on  Wi-Fi  automatically, 
eliminating  the  tasks  of  find¬ 
ing  the  network  and  logging 
in  to  it.  However,  that  process 
is  centered  on  the  mobile 
device,  which  can  lead  to 
problems,  said  Sheila  Bur¬ 
pee  Duncan,  head  of  Wi-Fi 
marketing  at  Ericsson.  A 
phone  or  tablet  may  be  set  to 
automatically  go  onto  Wi-Fi 
wherever  it  detects  the  sig¬ 
nal,  even  though  it  doesn’t 
know  whether  the  Wi-Fi  net¬ 
work  is  overloaded,  she  said. 

The  two  types  of  networks 
still  are  largely  independent, 
a  problem  AT&T  is  looking 
to  solve,  said  Kris  Rinne, 

AT&T’s  senior  vice  presi¬ 
dent  of  network  technologies.  Her  company 
has  one  of  the  largest  Wi-Fi  deployments  of 
any  mobile  operator. 

“Today,  they  don’t  know  anything  about 
each  other,  and  so  you  have  to  introduce  that,” 
Rinne  said.  AT&T  expects  Access  Network 
Discovery  and  Selection  Function  (ANDSF), 
a  specification  from  the  3GPP,  which  oversees 
mobile  standards,  to  help  it  solve  the  problem. 

However,  ANDSF  isn’t  designed  to  make 
decisions  about  network  choice  in  real  time, 


Ericsson’s  Duncan  said.  Instead,  it’s  directed 
by  overall  policies  that  are  designed  to  be 
changed  at  particular  times,  such  as  when  a 
train  is  scheduled  to  arrive  at  a  station.  Con¬ 
stantly  changing  those  policies  on  the  fly, 
such  as  whenever  the  station  happened  to  get 
crowded,  would  put  too  big 
a  burden  on  the  network, 
Duncan  said.  Real-time 
traffic  steering  will  comple¬ 
ment  ANDSF  and  other 
standards  such  as  Hotspot 
2.0,  she  said. 

Ericsson’s  traffic¬ 
steering  feature  will  be  an 
enhancement  to  the  compa¬ 
ny’s  network  management 
software  and  will  arrive  by 
the  first  quarter  of  next  year. 
It  won’t  require  any  spe¬ 
cial  software  on  handsets, 
though  it  will  only  work 
with  devices  that  can  use 
Extensible  Authentication 
Protocol  (EAP),  according 
to  Duncan.  Virtually  all  smartphones  have 
EAP,  she  said. 

The  catch  is  that,  for  now,  carriers  will 
have  to  use  both  cellular  and  Wi-Fi  gear  from 
Ericsson  to  get  the  feature,  Duncan  said.  The 
core  of  the  network  can  be  from  another  ven¬ 
dor,  she  said. 

If  a  carrier  uses  two  suppliers  for  its  net¬ 
work,  as  many  do,  then  requiring  special 
gear  may  hold  up  adoption  of  real-time  traffic 
steering,  Ovum’s  Schoolar  said .  ■ 


Ericsson  demonstrated  real-time 
traffic  steering  between  Wi-Fi  and 
cellular  at  CTIA  Wireless. 


Rackspace  beefs  up  cloud  networking  features 


BYBRANDON  BUTLER 

PUBLIC  CLOUD  and  managed  hosting  pro¬ 
vider  Rackspace  has  rolled  technology  from 
Vyatta  into  its  services,  allowing  customers 
to  set  granulated  network  segmentation  poli¬ 
cies  that  dictate  which  users  and  what  type  of 
traffic  have  access  to  which  hosted  resources. 

Vyatta  —  a  maker  of  open  source  network¬ 
ing  technology  that  Brocade  purchased 
earlier  this  year  —  specializes  in  creating 
virtual  appliances  to  allow  for  firewalling 
and  blocking  certain  types  of  traffic  to  access 
endpoints. 

Rackspace  hopes  that  customers  will  use 
the  Vyatta  technology  along  with  the  com¬ 
pany’s  Cloud  Networks,  which  allows  users 


to  create  VPNs.  Combining  that  feature  with 
a  Vyatta  firewalling  product  would  allow 
only  users  with  certain  credentials  or  specific 
types  of  traffic  workloads  to  access  that  net¬ 
work,  and  block  any  other  attempts  to  use  it. 

So,  for  example,  if  there  is  a  set  of  servers 
in  Rackspace’s  cloud  holding  sensitive  docu¬ 
ments  or  information,  Cloud  Networks  and 
Vyatta  could  be  used  to  set  up  a  private  net¬ 
work  connection  between  certain  users  and 
those  servers,  and  restrict  all  other  traffic. 
Vyatta  also  allows  for  layered  firewalling,  or 
virtual  firewall  appliances  sitting  on  either 
end  of  the  network  connection  to  provide 
extra  security. 

Rackspace  CTO  John  Engates  says  these 
technology  enhancements  get  customers 


“that  much  closer  to  proving  compliance  with 
a  specific  regimen  using  a  commercial  grade, 
hardened  firewall.” 

Physical  hardware  appliances  have 
allowed  this  functionality  in  the  past,  but 
Engates  says  incorporating  Vyatta  technol¬ 
ogy  into  Rackspace’s  cloud  allows  customers 
to  use  a  virtual  appliance  only  as  it’s  needed 
without  having  to  buy  a  physical  box.  Cus¬ 
tomers  have  also  had  an  opportunity  to  use 
open  source  firewalling  tools,  but  this  rollout 
gives  customers  a  commercially  supported 
product  to  implement.  Rackspace  will  offer 
support  services  for  deploying  the  system 
as  well.  It  will  first  be  available  via  a  30-day 
early  adopter  period,  and  then  will  be  gener¬ 
ally  available  to  all  customers.  ■ 
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TREND  ANALYSIS 


Justice  Dept,  lays  out  cybersecurity  basics 


BYMICHAELCOONEY 

THE  MANTRA  is  old  but  worth  repeating 
since  it’s  obvious  from  the  amount  of  cyberse¬ 
curity  breaches  that  not  everyone  is  listening. 

Speaking  at  the  Georgetown  Cybersecu¬ 
rity  Law  Institute  last  week,  Deputy  Attor¬ 
ney  General  of  the  United  States  James  Cole 
said  there  are  a  ton  of  things  companies  can 
do  to  help  government  and  vice  versa,  combat 
cyber  threats  through  better  prevention,  pre¬ 
paredness  and  incidence  response. 

“Some  of  this  may  seem  quite  basic  to 
many  of  you,  but  it  doesn’t  hurt  to  hear  it 
again.  Unless  we  work  together,  we  will  not 
be  able  to  address  the  cyber  threat  success¬ 
fully,”  Cole  said. 

Here  are  eight  key  areas  Cole  said  compa¬ 
nies  should  pay  close  attention  to: 

Prevention:  Companies  should  put  best 
practices  and  technologies  in  place.  For 
example,  each  company  needs  a  strong  sys¬ 
tem  of  network  firewalls.  You,  of  course, 
need  an  external  firewall.  This  will  serve 
to  protect  you  from  the  hacker  trying  to  get 
inside.  But  that’s  not  enough.  No  matter  how 
strong  your  external  firewall  is,  the  likeli¬ 
hood  is  that  a  hacker  will  inevitably  break 
inside.  So  you  also  need  internal  firewalls. 
These  should  wall  off  different  departments 
or  divisions  in  your  company  from  each  other. 
And  those  areas  that  contain  your  company’s 
most  sensitive  and  valuable  information 
should  have  particularly  robust  protections. 
This  way,  even  if  a  hacker  gets  onto  your  net¬ 
work,  he  doesn’t  get  very  far.  Or.  at  least,  he 
doesn’t  get  to  your  company’s  most  sensitive 
information. 

Education:  Companies  need  to  educate 
their  employees  on  intrusion  techniques  such 
as  spear-phishing  or  redirecting  websites  — 
the  scams  that  use  a  combination  of  email  and 
bogus  websites  to  trick  victims  into  clicking 
on  website  links  or  opening  attachments.  It 
only  takes  the  carelessness  of  one  employee  to 
let  a  hacker  into  your  network.  So  companies 
need  to  train  their  employees  to  recognize  and 
avoid  these  kinds  of  scams. 

Passwords:  The  strongest  password  sys¬ 
tem  has  multiple  layers,  and  yes,  I  know  it  is  a 
pain,  but  it  is  so  much  less  of  a  pain  than  los¬ 
ing  all  your  data,  your  trade  secrets,  or  your 
financial  information.  This  may  require  the 
user  not  only  to  type  in  a  number  of  different 
passwords,  but  also  to  send  images  or  even  to 
do  a  form  of  biometrics.  You  should  consider 
using  all  of  these  to  protect  your  core,  most 
sensitive  network  areas. 

Share:  You’re  going  to  need  up  to  date 


information  on  what  cyber  threats  are  out 
there  and  what  they  look  like.  Participating 
in  information  sharing  platforms  like  Infra- 
Gard  can  help  you  in  this  regard.  InfraGard 
is  an  FBI-sponsored  initiative  that  brings 
together  representatives  from  the  private 
and  public  sectors  to  help  protect  our  nation’s 
critical  infrastructure  from  attacks  by  terror¬ 
ists  and  criminals.  Members  have  access  to 
FBI  secure  communica¬ 
tions  network  featuring 
an  encrypted  website,  web 
mail,  list  serves,  and  mes¬ 
sage  boards.  FBI  uses  the 
InfraGard  website  to  dis¬ 
seminate  threat  alerts  and 
advisories.  InfraGard  also 
sends  out  intelligence  prod¬ 
ucts  from  other  agencies. 

Beyond  InfraGard,  you 
can  access  other  informa¬ 
tion  sharing  organizations 
like  the  Information  Shar¬ 
ing  and  Analysis  Centers. 

ISACs  are  trusted  groups 
established  by  critical  infra¬ 
structure  owners  and  oper¬ 
ators.  There  are  different 
ISACs  for  different  sectors  and  areas  of  exper¬ 
tise.  Members  of  ISACs  share  information 
with  each  other  and  maintain  contacts  with  the 
government  to  share  and  receive  cyber  threat 
information.  Services  provided  by  ISACs 
include  risk  mitigation,  incidence  response, 
and  information  sharing.  Depending  on  the 
ISAC,  you  may  have  access  to  a  24/7  security 
operations  center,  briefings,  and  white  papers. 

Government  too:  What  can  the  govern¬ 
ment  do  to  help  with  prevention?  Well,  for 
starters,  we  can  share  actionable  informa¬ 
tion  with  you.  We  have  collected  and  shared 
hundreds  of  thousands  of  indicators  of  mali¬ 
cious  activity  with  the  private  sector  and  over 
a  hundred  nations.  And  this  is  just  in  the  past 
six  months.  These  indicators  include  informa¬ 
tion  like  IP  addresses  associated  with  mali¬ 
cious  activity. 

You  may  have  also  heard  about  ECS  —  the 
Enhanced  Cybersecurity  Services  program. 
This  is  a  program  that  has  been  available  to  the 
U.S.  defense  industrial  base.  The  Department 
of  Homeland  Security  has  been  working  with 
cybersecurity  organizations  from  across  the 
federal  government  to  gain  access  to  a  broad 
range  of  sensitive  and  classified  cyber  threat 
information.  DHS  provides  that  information 
to  qualified  service  providers  to  help  them 
counter  known  malicious  cyber  activity. 

Standards:  The  National  Institutes  of 


Standards  and  Technology  —  NIST  —  has 
the  responsibility,  along  with  the  private  sec¬ 
tor,  to  develop  a  framework  of  baseline  stan¬ 
dards  for  cybersecurity.  The  framework’s 
purpose  is  to  assist  owners  and  operators  of 
critical  infrastructure  to  identify  and  man¬ 
age  risks  posed  from  cyber  threats.  Once  the 
Framework  is  established,  DHS  will  establish 
a  voluntary  program  to  support  adoption  of 
the  framework.  While 
the  framework  is  directly 
applicable  to  critical  infra¬ 
structure  members,  there 
is  nothing  that  prevents  all 
companies  from  adopting 
the  framework  as  part  of 
their  cyber  program. 

Advance  prep:  Even  a 
well-defended  organiza¬ 
tion  will  inevitably  expe¬ 
rience  a  cyber  incident  at 
some  point.  Therefore, 
your  company  has  got  to 
have  a  strong  and  compre¬ 
hensive  plan  for  respond¬ 
ing  to  a  cyber  incident. 
Determine  what  kinds 
of  filters  to  employ  in  the 
face  of  a  distributed  denial-of-service  attack, 
how  to  implement  mechanisms  to  shut  down 
access  to  important  sectors  of  your  computer 
systems,  procedures  to  change  passwords 
and  access  controls,  and  provisions  to  pre¬ 
serve  all  your  critical  data  to  ensure  continu¬ 
ity  of  your  company’s  operation  if  your  data 
has  been  destroyed.  And  importantly,  mech¬ 
anisms  to  notify  customers  or  employees  if 
personally  identifiable  information  (PII)  has 
been  stolen. 

Financial  obligation:  Finally,  think  about 
your  cyber  protection  program  from  the  per¬ 
spective  of  your  shareholders.  The  SEC  has 
issued  specific  guidance  regarding  disclosure 
obligations  relating  to  cybersecurity  risks 
and  cyber  incidents.  The  guidance,  which 
was  issued  in  2011,  makes  clear  that  there  are 
particular  obligations  that  apply  before,  dur¬ 
ing,  and  after  a  cyber  incident.  But  you  should 
think  about  your  disclosure  obligations 
beyond  just  particular  cyber  incidents.  If  you 
had  to  explain  to  your  shareholders  how  you 
are  going  about  protecting  the  most  valuable 
trade  secrets  of  your  company,  or  its  financial 
information,  or  its  critical  operations,  or  the 
PII  of  your  customers  or  employees,  what 
would  you  want  that  explanation  to  look  like? 
What  kind  of  impression  would  you  want  the 
investing  public  to  have  about  your  dedica¬ 
tion  to  cyber  protection.  ■ 


U.S.  Deputy  AG  James  Cole 
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7  steps  to  securing  Java 

Warnings  from  Homeland  Security  should  prompt  security  pros 
to  harden  enterprise  nets  against  Java-based  exploits 


BYSUSANPERSCHKE 

JAVA,  THE  popular  OS-independent  plat¬ 
form  and  programming  language,  runs  on 
just  about  every  kind  of  electronic  device 
imaginable,  including  computers,  cell¬ 
phones,  printers,  TVs,  DVDs,  home  security 
systems,  automated  teller  machines,  naviga¬ 
tion  systems,  games  and  medical  devices. 

In  response  to  successful  Java-based 
exploits  against  companies  like  Twitter, 
Facebook,  Apple  and  Microsoft,  and  contin¬ 
ued  concern  over  “zero-day”  security  flaws 
that  could  allow  an  attacker  to  remotely  exe¬ 
cute  malicious  code  that  could  compromise 
vulnerable  systems,  the  U.S.  Department  of 
Homeland  Security’s  Computer  Emergency 
Readiness  Team  (CERT)  has  issued  multiple 
security  advisories  concerning  Java. 

Here  are  seven  steps  you  can  take  to  protect 
your  network  against  Java-based  exploits. 
Given  its  ubiquity,  completely  removing  Java 
is  probably  out  of  the  question  for  most  orga¬ 
nizations.  But  here’s  a  seven-step  action  plan 
that  won’t  necessarily  guarantee  security,  but 
will  help  mitigate  threats  by  creating  aware¬ 
ness,  hardening  systems  and  reducing  attack 
vectors. 


1  Perform  an  impact  analysis 

I  A  good  starting  point  is  to  identify 
where  and  how  Java  is  used  both  inside  and 
outside  the  organization.  Does  your  organiza¬ 
tion  provide  Java-dependent  applications  that 
are  accessed  by  vendors,  clients  and/or  the 
general  public?  Unless  you  have  already  taken 
steps  to  limit  the  use  of  Java,  you  most  likely 
will  find  it  present  in  most  Internet  browsers, 
as  part  of  the  OS  (especially  certain  versions 
of  Mac  OS)  and  in  any  number  of  popular 
applications.  The  latter  is  probably  going  to 
be  the  biggest  unknown,  as  a  vast  number  of 
commercial  and  open  source  software  appli¬ 
cations  are  built  on  the  Java  platform.  Start 
by  ferreting  out  which  applications  use  Java. 
Is  the  app  business-critical?  Knowing  the  full 
scope  of  your  organization’s  dependence  upon 
Java-based  apps  and  platforms  is  a  necessary 
prerequisite  to  controlling  risks. 


Keep  Java  updated  and 
patched  at  all  times 


It  is  of  paramount  importance  to  keep  all  com¬ 
puters  and  devices  up  to  date  with  the  latest 


version  of  Java.  Oracle  supports  only  the  lat¬ 
est  version  —  no  security  patches  are  available 
for  previous  versions.  Obtain  updates  directly 
from  Oracle  to  reduce  the  risk  of  code  injec¬ 
tion.  Another  important  step  is  to  uninstall 
older  versions  of  Java  manually,  as  simply 
installing  the  latest  version  does  not  neces¬ 
sarily  ensure  that  older  versions  are  removed. 
Consider  limiting  the  use  of  Java-based  apps 
to  virtual  machines  that  can  be  started  up 
when  needed  and  left  unpowered  when  not. 

Also  keep  in  mind  that  some  applications 
may  use  earlier  versions  of  Java,  and  these 
could  break  after  updating  to  the  latest  ver¬ 
sion.  If  your  app  relies  on  an  outdated  version 
of  Java,  this  poses  a  much  greater  security  risk 
and  any  outdated  apps  should  be  updated  or 
replaced. 

3  Manage  Java  Control  Panel 
■  settings 

There  are  numerous  settings  available  from 
the  Java  Control  Panel  (available  on  both 
Windows  and  Mac  clients).  These  provide 
fairly  granular  control  of  how  Java  is  config¬ 
ured  on  client  computers,  from  automating 
updates  to  managing  security  settings.  Auto¬ 
matic  updates  can  be  configured  to  notify  or 
download  the  latest  update,  but  regrettably 
there  is  no  current  enterprisewide  capability 
to  automatically  install  updates.  This  means 
manual  steps  are  needed  to  ensure  the  latest 
updates  are  applied. 

As  for  security  settings,  the  last  few 
updates  of  Java  Version  7  have  been  automat¬ 
ically  set  to  use  the  “high”  security  setting, 
which  is  designed  to  prompt  users  before 
running  unsigned  or  self-signed  applets. 
This  is  a  change  from  recent  versions  of  Java 
where  the  default  was  “medium.”  From  the 
Java  Control  Panel,  you  can  also  disable  Java 
when  you’re  not  using  it,  but  there  are  some 
reports  of  unsigned  and  self-signed  applets 
being  allowed  without  prompting  when  you 
re-enablejava. 

4  Harden  Web  browsers 

I  Wherever  possible,  disable  Java  in 
Web  browsers.  If  for  some  reason  this  is  not 
an  option,  at  least  consider  disabling  remote 
access  to  Java  applets.  One  solution  is  to  use 
a  proxy  server  that  restricts  remote  Java 
requests,  but  allows  them  locally. 

Another  approach  recommended  by 


some  IT  administrators  is  to  use  two  differ¬ 
ent  browsers,  one  that  has  Java  enabled  for 
use  when  you  absolutely  need  to  access  sites 
requiring  Java  and  one  for  all  other  brows¬ 
ing.  Enforcing  this  in  the  enterprise  might  be 
challenging,  but  you  could  set  up  proxy  rules 
that  only  allow  one  type  of  browser  to  access 
Java  sites,  while  blocking  others. 

BYOD  endpoint  control 

■  In  this  age  of  bring  your  own  device 
(BYOD),  grappling  with  the  many  personal 
devices  employees  use  to  connect  to  the  cor¬ 
porate  network  presents  its  own  set  of  chal¬ 
lenges.  Java  is  widely  used  in  mobile  applica¬ 
tions,  so  you  may  want  to  develop  corporate 
policies  to  govern  how  BYOD  access  is  pro¬ 
vided.  Several  of  the  newer  “smart  devices” 
running  Android,  iOS,  Windows  Phone 
and  BlackBerry  10  operating  systems  do  not 
embed  Java.  However,  the  Nokia  40  series 
and  the  Bada  operating  system  developed 
by  Samsung,  an  OS  that  is  becoming  more 
popular,  are  both  Java-based.  Also,  it  should 
be  noted  that  since  Java  ME  (Micro  Edition) 
is  restricted  to  JRE  1.3,  it  is  somewhat  unclear 
if  any  of  the  latest  vulnerabilities  are  present 
in  Java  ME.  However,  by  implementing  end¬ 
point  control  policies,  you  can  ensure  that 
access  to  the  enterprise  network  is  restricted 
to  only  certain  types  of  devices  with  the  latest 
updates  applied. 

As  mentioned  in  the  introduction,  Java  is 
also  used  in  a  variety  of  other  devices  such 
as  printers,  security  systems,  payment  ter¬ 
minals,  etc.  Try  to  identify  all  devices  used 
in  your  organization  that  rely  on  Java  and 
work  closely  with  vendors  to  manage  risks. 
Depending  on  the  size  of  your  organization, 
this  may  require  a  task  force. 

6  Review  Java  impacts 
■  on  corporate  websites 
and  customer  portals 

Corporate  websites  are  important  market¬ 
ing  tools  and  frequently  also  a  considerable 
source  of  revenue  through  e-commerce.  If 
your  website  uses  Java  applets,  it  might  be 
time  to  make  some  changes  as  you  don’t  want 
to  be  caught  with  critical  website  functional¬ 
ity  inoperable  due  to  visitors  having  disabled 
Java.  Also,  when  dealing  with  public  end 
users,  you  may  encounter  instances  where 

►  See  JAVA,  page  18 
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Lync-Skype  integration  live  now  worldwide 


BY  JUAN  CARLOS  PEREZ, 

IDG  NEWS  SERVICE 

MICROSOFT  HAS  completed  the  first  phase 
of  the  integration  between  its  enterprise  uni¬ 
fied  communications  (UC)  Lync  server  and 
its  Skype  consumer  IM  and  IP  telephony 
network. 

The  company  announced  on  Wednesday 
that  it’s  now  possible  for  Lync  and  Skype 
users  to  contact  each  other,  engage  in  IM  text 
sessions  and  communicate  via  audio  calls. 
Videoconferencing  integration  will  be  deliv¬ 
ered  later. 

Microsoft  disclosed  its  Lync-Skype  plans 
last  year,  and  in  February  demonstrated  the 
interaction  between  the  two  products  for  the 
first  time,  promising  global  availability  of  the 
first  phase  of  the  integration  in  June  of  this 
year,  a  deadline  it  has  now  met. 

The  interoperability  works  both  for  com¬ 
panies  that  have  Lync  2010  and  Lync  2013 
installed  on  their  own  servers  and  for  compa¬ 
nies  that  use  it  as  part  of  the  Microsoft-hosted 
Office  36S  suite,  whose  other  components 
include  Exchange  Online  and  SharePoint 
Online.  Skype  users  must  have  the  latest  cli¬ 
ent  software  for  Windows  or  Mac  OS. 

Lync  is  used  by  more  than  90  of  the  Fortune 


100  companies,  and  the  product  provides 
voice  communications  for  5  million  enterprise 
users,  while  Skype  has  300  million  active 
monthly  users,  according  to  Microsoft. 

Enterprises  can  benefit  from  the  integra¬ 
tion  in  two  main  ways,  says  Henry  Dewing,  a 
Forrester  Research  analyst.  First,  Lync  users 
will  be  able  to  communicate  with  customers, 
partners  and  other  outside  parties  who  use 
Skype.  Second,  Lync  customers  will  be  able 
to  have  some  users  on  Lync  and  others  on 
Skype. 

“The  federation  of  Lync  and  Skype  will 
enable  closer  communications  and  the  shar¬ 
ing  of  presence  and  availability  data,  making 
communications  more  efficient,”  Dewing 
says. 

Security  and  compliance  concerns  about 
using  Skype  —  a  consumer  service  —  from 
enterprise  IT  leaders  shouldn’t  be  major  at 
this  point,  he  says.  Microsoft  owns  both  prod¬ 
ucts  and  has  been  working  on  the  integration 
for  a  while,  and  even  before  the  $8.5  billion 
acquisition  in  2011,  Skype  had  been  strength¬ 
ening  the  service  for  workplace  use,  releasing 
a  version  of  called  Skype  for  Business,  Dew¬ 
ing  says. 

At  L’Occitane  en  Provence,  the  French 
skin  care  and  beauty  products  company,  the 


Lync-Skype  integration  has  been  in  demand 
by  its  users,  according  to  Stephen  Roux, 
the  company’s  infrastructure  manager. 
L’Occitane  standardized  on  Lync  years  ago 
for  telephony,  videoconferencing,  IM  and 
presence. 

“In  a  perfect  world  everybody  would  use 
Lync  but  that’s  not  the  case.  We  have  to  inter¬ 
act  with  partners  and  customers,  and  most  of 
them  are  already  using  Skype,  so  it  makes  a 
lot  of  sense  for  us  to  be  able  to  communicate 
directly  with  Skype  users  from  our  Lync 
infrastructure,”  he  says.  “It  will  make  our 
users  more  productive.” 

Of  course,  in  a  really  perfect  world,  there 
would  be  universal  interoperability  among 
IM  networks,  but  that  is  far  from  the  case. 
Despite  some  improvements  over  the  years, 
like  the  development  of  the  XMPP  (Extensible 
Messaging  and  Presence  Protocol)  protocol, 
many  IM  networks  remain  walled  gardens, 
Skype  being  an  example. 

In  a  setback  to  interoperability,  Google, 
which  had  been  an  advocate  and  backer  of 
XMPP,  supporting  it  in  its  Talk  IM  service, 
recently  announced  that  its  new  IM  and 
audio/video  product  Hangouts  has  been 
built  using  proprietary  technology  and 
doesn’t  offer  server  federation  based  on  the 
standard  protocol. 

Lync  Server,  the  version  of  the  product  that 
is  installed  on  customer  premises,  supports 
XMPP  and  has  some  capabilities  to  inter¬ 
operate  with  proprietary  IM  networks,  like 
the  ones  from  AOL  and  Yahoo,  as  described 
in  Microsoft  documentation.  However,  Lync 
Online,  the  hosted  version  in  Office  365, 
doesn’t  offer  this  interoperability. 

However,  even  the  existing  federation 
between  Lync  Server  and  the  IM  networks 
from  Yahoo  and  AOL  are  being  phased  out, 
according  to  a  spokeswoman  for  Microsoft, 
who  says  the  agreements  with  those  two  pro¬ 
viders  “are  winding  down.” 

“Service  will  continue  with  Yahoo  through 
June  2014  for  customers  licensed  with  the 
Microsoft  Lync  Public  IM  Connectivity  User 
Subscription  License  (PIC  USL),”  she  said  via 
email,  adding  that  the  PIC  USL  is  no  longer 
available  for  purchase  for  new  or  renewing 
agreements. 

“Customers  with  licenses  purchased  prior 
to  this  date  will  be  able  to  continue  to  federate 
with  Yahoo  until  the  service  shutdown  date  or 
their  license  expiration.  Federation  with  AOL 
will  continue  through  June  2014  for  existing 
customers,”  she  says. 

For  now,  Lync  customers  can  at  least  count 
on  the  interoperability  with  Skype.  ■ 


►  JAVA,  from  page  16 

users  have  not  only  disabled  Java  applets, 
but  JavaScript  as  well.  To  ensure  high  avail¬ 
ability,  use  detection  scripts  to  deal  with 
this  contingency  and  redirect  customers  as 
needed. 
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g  If  you  are  developing  in  Java, 
K  ■  do  so  responsibly 

If  you  are  developing  Jn  Java,  don’t  add  to 
the  industrywide  problems'!  >y  producing 
unsigned  or  self-signe| 
using  a  trusted  certi 
adhere  to  other  indus 
Java  development.  In  af 
developers  to  use  trustei 


s.  Sign  all  apps 
te  authority  and 
best  practices  for 
‘fort  to  encourage 
rtificate  author- 
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ities,  Oracle’s  Java  7  Updaf 
red  flags  to  users  about  the's^fcqrity  risk  of 
running  unsigned  applets. 

Some  third-party  solutions  sucf 
Entrust  Authority  Security  Toolkit  for  the" 
Java  Platform  allow  Java  developers  to  add 
security-related  features  like  encryption 
and  digital  signatures  to  their  applications. 


Conclusion 

Of  late,  Oracle  has  significantly  stepped 
up  its  efforts  to  correct  flaws  and  vulner¬ 
abilities  in  its  Java  platforms.  However  this 
is  playing  out  as  a  game  of  cat  and  mouse, 
as  new  exploits  are  discovered  sometimes 
fin  hours  of  the  latest  patch.  The  rapid 
mnge  cyde  is  also  causing  other  collateral 
consequence^.  Some  users  report  being 
able  to  rumun|jgned  applets  in  IE9  on 
Windows  7  eWmBf  he  settings  are  “high”  or 
“super  high.”  Others  are  reporting  issues 
with  legacy  applications  not  running  prop¬ 
erly  under  the  latest  releases  of  Java  7.  Suf¬ 
fice  it  to  say  that  many  Java  platforms  and 
applications  are  in  a  state  of  flux,  with  secu¬ 
rity  concerns  remaining.  Hence  the  need  to 
keep  a  watchful  eye.  Oracle  declined  com¬ 
ment  on  the  topics  in  this  article.  ■ 

Perschke  is  CSO  for  Arc  Seven  Technology. 
She  is  also  an  experienced  technical  writer, 
and  has  written  numerous  white  papers 
for  a  number  of  organizations,  including 
Fortune  500  companies.  Susan  can  be 
reached  at  susan@arcseven.com. 
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View  from  inside  Verizon’s  security  team 


ryan  Sartin  is  director  of  Verizon’s 
RISK  Team,  the  communications 
provider’s  computer  forensics  prac¬ 
tice,  which  is  also  the  group  that  helps 
create  the  annual  Data  Breach  Investi¬ 
gations  Report  (DBIR).  Network  World 
Editor  in  Chief  John  Dix  caught  up  with 
Sartin  to  learn  more  about  the  RISK  Team,  get  his  take 
on  the  state  of  enterprise  security,  and  discuss  new  find¬ 
ings  from  the  recently  published  DBIR  report. 


Bryan  Sartin, 
director,  Verizon’s 
RISK  Team 


You  lead  what  looks  to  me  to  be  a 
security  SWAT  team.  Tell  us  about  it. 

RISK  stands  for  Research,  Investigations, 
Solutions  and  Knowledge,  and  we  have  two 
specific  areas  of  focus.  One  is  for  everything 
that  Verizon  does  in  cloud,  IT  and  security. 
We  handle  incidents  of  a  civil  and  criminal 
nature  for  Verizon  customers,  whether  they 
are  on  or  off  the  Verizon  network.  And  that 
spans  digital  forensics,  computer  incident 
response,  IT  investigations,  but  also  elec¬ 
tronic  discovery.  And  in  that  capacity  we’re 
one  of  the  largest  IT  investigative  entities  in 
the  world.  We  operate  digital  forensic  labs  in 
five  countries  and  have  full-time  investigators 
in  21  countries. 

Our  second  area  of  focus  is  intelligence. 
Case  by  case,  in  data  centers  around  the  globe, 
we  pick  up  little  artifacts  of  intelligence  from 
our  field  work  and  process  and  convert  that 
into  knowledge  we  use  to  improve  products, 
drive  innovation  and  secure  Verizon.  But  we 
also  deliver  that  security  knowledge  to  clients 
on  a  regular  basis. 

Was  RISK  home-grown  or  did 
it  stem  from  acquisitions? 

It’s  grown  in  a  variety  of  ways.  Verizon  has 
had  security  capabilities  for  a  long  time 
because  security  and  Internet  services  just 
go  together  hand  in  hand.  If  you’re  going  to 
provide  someone  access  to  the  Internet,  then 
helping  them  access  it  in  a  secure  fashion  is 
something  that  makes  sense.  I  came  in  from 
the  Cybertrust  acquisition  in  2007,  and  a 
large  percentage  of  my  team  did  as  well.  I 
believe  Cybertrust  was  the  largest  privately 
held  information  security  services  company 
in  the  world  at  the  time. 

We  thought  we  had  the  brightest  minds, 
the  best  people  and  the  best  tools  at  our  dis¬ 
posal,  but  it  was  one  of  those  things  where 


Bryan  Sartin, 
director,  Verizon’s 
RISK  Team 

you  didn’t  realize  what  you  didn’t  have  until 
you  became  part  of  this  great  big  Verizon. 
Then  we  started  getting  access  to  the  assets 
here  and  people  from  other  Verizon  acquisi¬ 
tions  over  the  years.  So  we  came  into  an  envi¬ 
ronment  where  there  was  a  very  established 
security  services  capability  and  reinforced 
what  was  there. 

Today  we  have  a  little  more  than  100  peo¬ 
ple  and  four  background  types  on  the  team. 
A  good  percentage  is  from  law  enforcement, 
another  is  from  military  or  military  intel¬ 
ligence,  which  plays  very  well  into  that  sec¬ 
ond  focus  I  mentioned,  folks  like  myself  have 
more  systems  engineering  backgrounds, 
and  then  you  have  others  from  institutional 
IT  type  roles. 

What  types  of  things  do  you 
get  called  in  to  examine? 

The  most  common  thing  is  the  IT  investi¬ 
gation.  We’re  called  in  when  the  customer 
believes  there  is  enough  evidence  of  a  secu¬ 
rity  breach  to  retain  an  outside  professional 
investigations  company.  So  typically  you 
have  employees  or  customers  complaining 
of  fraud,  or,  in  the  last  year  or  two,  the  FBI 
reaching  out  to  a  company  saying,  “Look, 
here’s  some  things  you  need  to  know.  You  may 
have  suffered  some  type  of  APT  attack  in  and 
around  this  data  and  time.”  So  they  call  us  with 
what  they  believe  is  hard  evidence  of  a  security 
breach  and  our  job  is  to  look  at  their  great  big 
network  and  all  the  moving  parts  and  deter¬ 
mine,  did  this  or  did  this  not  happen? 

And  based  upon  the  facts,  can  we  prove 
or  disprove  the  source,  show  how  they  got 
in,  what  they  took,  make  sure  we  can  stop 
the  bleeding  and  contain  the  situation,  and 
then  finally  do  what’s  necessary  to  set  the 
stage  for  prosecution?  So  we  often  times  play 
a  pre-law  enforcement  type  role  where  we’re 


bringing  together  facts  and  evidence  and 
building  conclusions  and  transitioning  our 
findings  over  to  law  enforcement  to  take  the 
final  step. 

Why  do  companies  hire  you 
vs.  a  competitor? 

The  biggest  difference  is  the  reach  of  Verizon’s 
operations.  We  have  a  true  international  capa¬ 
bility  and  that  helps  us  better  understand  the 
legalities  and  all  the  rigmarole  that  goes  into 
international  investigations.  But  there’s  also 
the  network.  I  could  spend  hours  on  a  white 
board  showing  you  some  of  the  ways  we  can 
derive  incredible  types  of  intelligence  off  the 
Verizon  backbone  that  helps  us  do  things 
like  identify  sources.  We  can  perform  entire 
remote  investigations  without  even  going 
to  the  customer’s  premises.  Figure  out  who 
did  it,  where  they  came  from,  what  tools  and 
methods  they  used,  and  what  they  took.  Then 
we  can  pinpoint  crimes  back  to  adversaries, 
link  many  crimes  together  or  even  turn  on 
intrusion  detection  systems  out  in  the  cloud 
and  point  them  at  one  or  many  networks.  We 
have  some  very  unique  capabilities. 

Do  you  get  involved  with  the 
government  at  all? 

Yes,  both  as  a  service  provider  and  also  for 
intelligence  sharing.  It’s  become  clear  that 
there’s  strength  in  numbers  when  it  comes 
to  collecting  and  exchanging  security  intel¬ 
ligence,  especially  understanding  the  adver¬ 
saries  and  how  they  work.  Our  entire  remote 
investigations  capability  is  supported  by 
intelligence  collection  and  sharing.  The 
more  we  know  the  more  we  are  able  to  see 
little  facets. 

Somebody  comes  to  us  and  says  —  “Look, 
we’ve  got  this  point  of  entry  and  we  see  activ¬ 
ity  on  these  ports  at  these  date  and  times,  and 
here’s  where  it  appears  to  be  coming  from.” 
And  with  good  intelligence-based  research 
you  can  take  little  artifacts  like  that  and  con¬ 
vert  them  into  an  entire  picture.  We  know 
who  did  it,  where  they  came  from,  how  they 
got  in,  see  that  this  is  linked  to  these  three 
other  investigations  we’ve  conducted,  and  I 
can  tell  what’s  under  that  rock  before  we  get 
there.  A  lot  of  that’s  born  out  of  the  sharing  we 
do  with  government. 

So  how  bad  is  it  out  there? 

I  don’t  want  to  scare  anybody  with  fear. 
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uncertainty  and  doubt.  That’s  certainly  not 
the  point  of  our  data  breach  report.  It’s  really 
about  understanding  the  nature  of  the  threat 
and  how  to  defend  against  them.  But  the 
unfortunate  truth  is  there’s  more  concurrent 
criminal  activity  out  there  facing  companies 
than  ever  before.  It’s  more  tumultuous  and 
there’s  more  diversity  in  the  threats  they  face. 

In  your  data  breach  report  you  talk 
about  hactivism,  espionage  and 
financially  motivated  crime.  Have  the 
rankings  of  those  threats  changed? 

Significantly,  yes.  Financial  crimes  still  domi¬ 
nate  the  landscape,  but  last  year  hactivism 
really  blew  us  away.  People  naturally  asso¬ 
ciate  hactivism  with  distributed  denial  of 
service,  but  suddenly  hactivism  accounted 
for  more  stolen  records  than  financial  crimes. 
And  this  year  the  big  change  is  around  cyber¬ 
espionage.  People  have  asked  us  —  “Where  is 
this  APT  thing  I  keep  hearing  so  much  about?” 
And  no  matter  where  we  looked  there  just 
wasn’t  much  data  on  it  to  speak  of.  But  now 
in  this  past  year  cyber-espionage  —  stealing 
intellectual  property  or  other  types  of  infor¬ 
mation  —  accounts  for  about  20%  of  the  cases. 

Anything  new  on  the  insider  threat  front? 

Insider  threats  do  factor  into  our  findings. 
Generally  people  have  this  perception  that 
most  of  their  exposures  and  moving  parts  are 
internal  so,  threat  landscape-wise,  the  big¬ 
gest  danger  is  inside  jobs.  That  was  a  myth 
we  tried  to  bust  in  the  past  by  showing  that 
inside  jobs  are  not  only  less  than  you  expect, 
but  they’re  considerably  less. 

In  the  last  few  years  they’ve  been  below 
5%,  and  in  this  last  year  they  are  below  1% 
of  the  overall  threat  landscape.  It’s  external 
breaches  that  really  hit  victims  the  hardest, 
irrespective  of  industry.  This  year  we’ve  seen 
inside  jobs  jump  up  a  bit,  but  it’s  still  smaller 
than  people  expect.  It’s  just  that  they  do  tend 
to  hurt  victims  more  when  they  happen 
because  there  is  a  larger  average  record  set 
stolen  on  an  inside  job. 

Turning  back  to  cases  where  you 
get  called  in  to  investigate,  are 
there  any  stories  you  can  share 
about  things  you  encounter? 

Sure.  One  involved  a  large  international  com¬ 
pany  with  a  very  recognizable  brand  name 
that  had  received  an  extortion  attempt  that 
started  with  a  series  of  emails.  As  is  typical 
in  these  things,  no  one  notices  the  first  five 
or  six  emails,  but  finally  one  of  the  execs  saw 
this  thing  and  thought  it  sounded  pretty  real. 
They  notified  somebody  in  security  and  ulti¬ 
mately  we  were  engaged  to  investigate.  They 
had  us  on  retainer,  a  guaranteed  24-hour 
response  to  computer  security  emergencies. 


so  they  picked  up  the  phone. 

To  make  a  long  story  short,  the  extortionist 
was  in  essence  holding  them  up  for  ransom. 
He  had  some  information  and  some  intellec¬ 
tual  property  of  theirs  and  he  threatened  to 
release  this  information  if  our  customer  did 
not  meet  his  demands. 

When  you  have  an  extortion  attempt,  typi¬ 
cally  you  want  to  keep  the  extortionist  com¬ 
municating  because  the  more  communica¬ 
tions  you  have  the  greater  the  possibility  to 
identify  his  location  or  discover  some  other 
useful  information.  In  this  case  the  perpetra¬ 
tor  seemed  quite  chatty.  And  what  we  found 
was  he  would  be  willing  to  drop  the  whole 
extortion  attempt  if  we  were  willing  to  offer 
him  employment.  So  we  arranged,  believe  it 
or  not,  a  job  interview  at  the  local  airport  and 
he  in  fact  showed  up  for  this  meeting.  Only 
the  folks  who  sat  down  and  interviewed  him 
were  members  of  law  enforcement. 


The  unfortunate  truth 
is  there's  more  con¬ 
current  criminal 
activity  out  there 

facing  companies  than 
ever  before. 


That’s  crazy.  Any  more? 

There  was  the  one  more  recently.  A  customer 
called  us  and  said,  “We’ve  got  a  situation 
where  an  employee’s  credentials  appear  to 
have  fallen  into  the  Chinese  government’s 
hands.  We’re  getting  many  connections  in 
the  middle  of  the  night  using  this  employee’s 
credentials,  only  this  employee  is  here  in  the 
United  States,  right  in  a  nearby  office.  He’s 
working  in  the  office  every  day.” 

That’s  not  unusual.  Four  out  of  five  attacks 
in  our  data  breach  report  this  year  involve 
exploited  or  stolen  credentials.  So  we  started 
to  dig  in,  looking  into  how  they  were  stolen,  if 
others  were  stolen,  try  to  see  what  might  have 
been  touched,  and  figure  out  how  to  block 
future  access. 

But  we  started  by  talking  to  the  developer 
whose  credentials  were  taken.  Oftentimes  the 
former  cops  on  the  team  can  sit  down  with 
somebody  and  get  a  feeling  pretty  quickly 
about  whether  or  not  they’re  squirrelly.  And 
the  more  we  pushed  this  guy  the  more  squir¬ 
relly  he  became,  and  finally  it  turned  out  he 


had  an  interesting  take  on  his  job.  He  saw  his 
job  as  an  outsourcing  opportunity. 

He  was  shipping  his  work  overseas  to  a 
software  development  firm  in  China.  He 
would  get  assignments,  ship  those  assign¬ 
ments  out  and  they  used  his  ID  to  log  in  to  the 
systems  and  actually  do  all  the  staging,  test 
and  development  and  actually  move  stuff  into 
production.  He’d  show  up  in  the  morning  and 
say,  “Yeah,  look  at  what  I  produced,”  and  then 
he’d  spend  the  rest  of  the  day  surfing  eBay. 

What  do  you  make  of  the  oft-referenced 
idea  that  the  bulk  of  security  problems 
stem  from  the  fact  that  security 
tools  are  not  configured  correctly? 

That’s  true,  to  a  very  great  extent.  Many  intru¬ 
sion  detection  systems,  for  example,  are  not 
configured  properly,  but  even  when  they  are 
they  still  generate  too  much  noise.  If  some¬ 
one  opens  up  on  average  90  alerts  a  day  per 
IDS  probe  and  each  one  of  those  takes,  what, 
something  3.9  minutes  to  vet,  it’s  only  a  mat¬ 
ter  of  time  before  they  just  don’t  notice  the  real 
important  stuff  breeze  by. 

There  is  a  lot  of  talk  about  big  data 
being  the  answer.  What  do  you  think? 

What  we’re  doing  with  the  data  breach  report 
is  an  example  of  looking  for  commonalities  or 
patterns  inside  big  data,  but  where  the  rubber 
really  hits  the  road  is  around  sharing  intel¬ 
ligence.  I  think  sharing  indicators  and  the 
TTPs  —  tools,  techniques  and  procedures  — 
of  adversaries  carries  a  lot  more  power  than 
most  people  know.  And  it  takes  a  big  data 
approach  to  really  put  this  kind  of  stuff  to 
good  use.  That’s  something  we’re  doing. 

I  mentioned  that  remote  investigations 
capability,  which  is  all  based  upon  intelli¬ 
gence  that  we  collect  and  we  share  with  third 
parties,  and  we  link  many  cases  together 
based  upon  big  data  mining.  If  you  put 
together  the  adversary’s  IP  addresses,  the 
tools,  the  techniques,  the  malcode  hash  pat¬ 
terns,  you  put  all  this  stuff  together  in  this  big 
data  mine,  then  when  you  get  one  little  ingre¬ 
dient  from  a  customer  and  you  can  go  back  in 
and  say,  “Well,  that’s  interesting.  They  com¬ 
plained  about  activity  on  these  ports  at  these 
times  and  they  saw  this  particular  source,” 
and  you  can  bring  up  those  records  and 
quickly  tie  that  back  to  an  adversary. 

“You  know,  I  saw  that  adversary  in  at  least 
17  other  crimes  over  the  last  18  months  and 
almost  all  of  those  crimes  use  this  point  of 
entry  and  this  malcode  and  they  were  found 
on  these  kind  of  systems  in  these  folders,  and 
they  stole  this  kind  of  data,  and  here’s  how 
they  got  it  out.”  And  you  can  build  accurate 
predictors  on  what  you’re  likely  to  find  in  the 
on-site  investigation,  all  just  out  of  that  data 
mine.  ■ 
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Gearhead’s  2013  Summer  Reading  List 


■  -VW 

Mark  Gibbs’ Gearhead 


Stoppid 
America's 
of  \\w  i 


s  I  note  in  Backspin,  as  of  the 

24th  of  this  month,  I’ve  been  writing 
for  Network  World  for  20  years  and  6 
days.  And  my  first  Gearhead  column 
published  a  mere  17  years,  4  months 
I  and  5  days  ago.  I’m  going  to  leave  the 
I  peering  into  the  rearview  mirror  to 
see  how  we  got  here  to  Backspin  and,  instead,  do  as 
I  always  do:  talk  about  cool,  geeky  stuff  you  need. 
Today,  I  have  your  summer  reading  assignments. 


First,  “Exploding  the  Phone:  The  Untold 
Story  of  the  Teenagers  and  Outlaws  Who 
Hacked  Ma  Bell,”  by  Phil  Lapsley.  Lapsley 
takes  us  through  the  multiple  generations 
of  the  telephone  system  —  from  the  sys¬ 
tem  driven  by  switchboard  operators  to  the 
mechanical  switching  system  (invented  by  an 
undertaker,  no  less)  and  to  the  digital  switch¬ 
ing  systems  —  and  documents  what  he  calls 
“the  billion  dollar  flaw.”  Well-researched  (the 
book  took  five  years  to  write),  well-written 
and,  with  a  foreword  by  Steve  Wozniak, 
one  of  the  most  famous  “phone  phreaks,” 
“Exploding  the  Phone”  is  hard  to  put  down, 

even  by  people  who  aren’t _ __ 

geeks.  Highly  recommended. 

My  next  choice,  “The 
Argument  Culture:  Stop¬ 
ping  America’s  War  of 
Words,”  by  Deborah  Tan- 
nen,  is  an  old  one  that  I 
recently  reread.  This  is  a 
book  that  should  be  studied 
by  everyone  who  has  to  deal 
with  argumentative  people 
(which  is  to  say,  everyone 
you  come  into  contact  with). 

Published  in  1999,  this  book 
examines  how  we  communi¬ 
cate  at  home,  at  work  and  in 
the  media,  and  how  argumentation  distorts 
intent  and  corrupts  cooperation. 

Tannen  is  one  of  the  most  famous  linguists 
and  her  insights  into  how  verbal  conflict  gets 
in  the  way  of  getting  things  done  should  be 
read  by  everyone  who  has  to  deal  with  the 
politics  of  the  corporate  world. 


XPtODIN 
THE  PHONE 


THE  UNTOLD  STORY  OF 
THE  TEENAGERS  AND 
OUTLAWS  WHO  HACKED 
MA  BELL 


PHIL  LAPSLEY 


FOREWORD  BY  STEVE  WOZNIAK 
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Another  book  I  highly  recommend  for 
everyone  in  IT  is  “The  Limits  of  Strategy: 
Lessons  in  Leadership  From  the  Com¬ 
puter  Industry,”  by  Ernest  von  Simson. 
Von  Simson  has  had  a  fascinating  role  in 
the  IT  world  through  his  consultancy.  The 
Research  Board,  where  he  got  to  work  with 
a  who’s  who  of  the  computer  business.  Von 
Simson  discusses  why  businesses  fail,  why 
corporate  “vision”  is  often  inadequate,  and 
how  the  best  laid  plans  of  mice  and  CEOs 
“Gang  aft  agley,  An’  lea’e  us  nought  but  grief 
an’  pain.”  What  I  got  from  this  book,  beyond 
a  better  insight  into  the  formative  years 
of  the  IT  industry,  was  that  even  the  best 
companies  have  real,  hard  limits  on  what 
they  can  cope  with  in  terms  of  a  changing 
marketplace. 

And  my  final  book  choice  is  one  I’ve  just 
started  and  which  was  recommended  to 
me  by  my  old  friend  Chuck  Pappageorgiou. 
The  book,  “Business  Model  Generation,” 
which  describes  itself  as  “A  handbook  for 
visionaries,  game  changers  and  challeng¬ 
ers,”  was  created  by  a  coalition  of  470  strat¬ 
egy  practitioners  from  45  countries  led  by  a 
core  team.  The  real  value  of  this  book  and 
its  approach  is  to  re-frame  and  organize  how 
you  go  about  building  or  examining  a  busi¬ 
ness  model.  There’s  also  an  iPad  app  and  a 
Web  service  that  provide  the  tools  to  get  the 
job  done  and  lots  of  examples  of  how  real- 

world  business 
models  work. 

So,  there’s  your 
summer  read¬ 
ing  list.  I  expect  a 
report  from  each 
one  of  you.  And 
if  you’ve  got  any 
“must  read”  books 
of  your  own,  let  me 
know.  ■ 


Shhh,  Gibbs  is 
reading  in  Ventura, 

Calif.  Checkout  your  choices  at  gearhead@ 
gibbs.com  and  follow  him  on  Twitter  and 
App.net  (@quistuipater)  and  on  Facebook 
(quistuipater). 
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GADGETS 

Logitech  impresses  with  its 
wireless  headset 

Cool  Tools 


Keith  Shaw’s 


While  we  tested  the  stereo 
wireless  headset,  Logitech 
also  offers  a  mono  version 
(shown  here  recharging  in 
the  base  station). 


Logitech  Wireless  Headset  Dual  H820e 

by  Logitech,  about  $200  (mono  version  costs  about  $180) 

►  What  it  is:  This  headset  includes  stereo  earphones  and  a  flex¬ 
ible  boom  microphone  (it  can  be  rotated  so  the  microphone  can  be  used  on 
the  right  side  or  left  side),  and  is  geared  toward  business  users  who  use 
unified  communications  (such  as  Microsoft  Lync  or  Cisco  platforms)  or 
PC-based  softphones  (including  Skype  and  Google’s  voice  apps).  The 
headset  connects  wirelessly  through  a  nice,  small  base  station,  which 
then  connects  to  a  PC  or  Mac  via  USB  cable.  The  base  station  can  also 
recharge  the  headset  when  you’re  not  using  it  for  calls.  Logitech 
offers  two  models  —  mono  (one  ear)  or  stereo  (sound  in  both  ears). 

►  Why  it’s  cool:  The  headset’s  wireless  connection  uses  the  Digital 
Enhanced  Cordless  Telecommunications  (DECT)  standard,  which 
lets  you  move  up  to  300  feet  away  from  the  base  station.  In  my 
tests,  I  could  wander  around  most  of  the  Network  World  editorial 
offices  without  experiencing  any  loss  in  sound  or  voice  quality.  The 
additional  roaming  area,  compared  with  Bluetooth’s  typical  30-foot 
range,  makes  it  useful  if  you  need  to  get  up  from  your  call  to  grab 
something,  or  if  you’re  working  at  home  and  need  to  make  a  fridge  or 
bathroom  run  during  a  call  (just  be  sure  to  mute  the  microphone  dur¬ 
ing  those  situations!).  The  DECT  standard  also  reduces  any  potential 
interference  issues  that  you  might  discover  with  Bluetooth  or  Wi-Fi 
devices  in  a  busy  office  environment. 

Cushions  on  the  ear  pads  and  under  the  bar 
connecting  the  ear  pads  (on  top  of  the  headset) 
make  it  comfortable  enough  to  wear  on  your 

head  when  you’re  not  on  a  voice  call  —  if  you  like  to  listen  to  music  while 
working,  you  can  keep  these  on  most  of  the  day  without  worrying  that  your 
ears  are  going  to  get  sore. 

In  my  tests,  the  sound  quality  via  a  Skype  call  was  pretty  good  —  defi¬ 
nitely  better  quality  than  relying  on  the  microphone  built  into  the  PC/ 
Mac.  The  headphones  picked  up  some  external  noise  during  the  call,  but 
that  could  be  Skype  compensating  for  volume  changes  from  the  caller 
on  the  other  end  —  if  the  person  you’re  calling  moves  away  from  the 
microphone,  Skype  boosts  the  sound.  But  the  external  noise  was  never 
bothersome  enough  during  my  tests  to  make  it  a  nuisance. 

►  Some  caveats:  Unlike  some  other  business-focused  headsets,  you  don’t  have  any  flex¬ 
ibility  on  wearing  styles  —  you  are  limited  to  the  over-the-head  style,  which  may  turn 
off  some  users  who  prefer  a  behind-the-head  version.  The  unit  also  doesn’t 

offer  different-size  ear  pads  —  one  size  fits  all  here.  The  $200  price  tag  may 
scare  off  some  people  —  although  you  could  switch  to  the  less-expensive  mono 
version,  or  you  could  look  at  Logitech’s  USB  corded  model  (the  H650e),  which 
costs  about  $90  (or  $80  for  the  corded  mono  version).  These  would  be  recom¬ 
mended  for  users  who  make  a  lot  of  phone  calls  via  their  UC  or  softphone 
systems.  Other  inexpensive  options  are  available  if  you  are  looking  to  just  have 
a  headset  for  occasional  calls  or  if  you  want  to  listen  to  music  while  working. 

►  Grade  ★★★★*  (out  of  five). 
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BY  CHRISTINE  BURNS 


Four  must- 
have  features 
of  a  successful 
private  cloud 


HOWTO 


PRIVATE 

CLOUD 


A  PRIVATE  cloud  looks  and  acts 
like  a  public  cloud,  giving  your 
corporation  all  the  speed,  agility  and 
cost  savings  promised  by  cloud  tech¬ 
nology,  only  it’s  single-tenant,  and 
that  tenant  is  you,  right?  Well,  that’s 
the  goal,  but  it’s  not  quite  the  reality 
yet  for  most  enterprises. 

The  definition  of  enterprise 
private  cloud  currently  exists  on  a 
continuum.  This  lack  of  commonly 
defined  ground  is  proving  to  be  a  bit 
of  a  stumbling  block  to  achieving  the 
velocity  and  dexterity  promised  by 
private  cloud  vendors  inside  tradi¬ 
tional  IT  settings. 

Gartner  doesn’t  track  private  cloud 
installations  at  this  time,  says  Aneel 
Lakhani,  research  director  for  virtu¬ 
alization  and  cloud. 

“There  is  zero  consensus  on  what 
enterprise  IT  considers  private  cloud 
to  be.  Installations  labeled  ‘private 
cloud’  now  range  from  data  centers 
having  several  virtualized  machines, 
to  having  some  very  basic  ability 
to  automate  processes,  to  possibly 
having  some  self-service  compo¬ 
nents.  With  that  much  variation,  the 
results  of  conducting  a  self-reported 
study  based  on  this  space  would  be 


special  issue  miiimmmmi! 
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completely  invalid,”  Lakhani  says. 

Forrester  Research  late  in  2012  pub¬ 
lished  results  of  its  Forrsights  Hardware 
Survey,  in  which  31%  of  the  more  than 
2,300  midsize  and  enterprise  IT  respon¬ 
dents  claimed  to  already  have  a  private 
cloud  in  place,  while  another  17%  said 
they  were  going  to  put  one  in  sometime 
this  year. 

“But  if  you  dig  a  deeper  into  what  this 
self-described  group  is  actually  doing, 
you  can  see  that  they  may  be  using  some 
sort  of  private  cloud  portal  with  some 
underlying  virtualization,  but  the  num¬ 
ber  actually  tapping  into  the  services 
that  would  give  them  the  core  value-add 
propositions  of  speed  and  agility,  is 
really  quite  low,”  says  Lauren  Nelson, 
Forrester’s  private  infrastructure  as  a 
service  (IaaS)  cloud  lead.  Her  firm  sets 
that  number  between  7%  and  13%. 

That’s  the  dirty  little  secret  about 
virtualization  in  the  enterprise,  says 
Peder  Ulander,  vice  president  of  product 
marketing  for  cloud  platforms  at  Citrix. 
“Yes,  90%  of  IT  departments  have  been 
virtualized,  but  those  virtualized  data 
centers  are  generally  only  being  utilized 
to  30%  of  their  capacity,”  Ulander  says. 
“Private  cloud  is  really  about  driving 
efficiency  and  nailing  the  optimization.” 

Objectively  speaking,  analysts, 
vendors  pushing  private  clouds,  and 
practitioners  hired  to  implement  private 
clouds  say  there  are  up  to  four  basic 
tenets  that  must  be  in  operation  for  an 
enterprise  IT  department  to  fully  take 
advantage  of  a  private  cloud. 

Burns  is  a  freelance  writer.  She  can  be  reached 
at  cburnsl227@gmail.com. 


1  THERE  MUST  BE  A  CONVERGED 
■  INFRASTRUCTURE. 

“We’re  talking  at  all  levels.  Servers 
must  be  virtualized.  There  has  got  to  be 
underlying  software  defined  network¬ 
ing  and  a  converged  storage  fabric,”  says 
Andrew  Hillier,  CTO  of  CiRBA,  a  sup¬ 
plier  of  capacity  management  software 
for  virtualized  and  cloud  environments 
in  Toronto. 

Josh  McKenty,  CTO  and  founder 
of  OpenStack-based  private  cloud 
provider  Piston  Cloud  Computing, 
echoed  Hillier’s  requirement  of  a  fully 
converged  infrastructure.  But  McKenty, 
who  has  been  working  on  private  cloud 
networking  issues  since  2008  when  he 
was  working  at  NASA  and  served  as  a 
technical  lead  on  the  project  that  evolved 
into  OpenStack,  says  corporate  IT  must 
also  factor  in  disaster  recovery,  replica¬ 
tion  and  placement  logic  for  their  private 
clouds.  Also,  private  clouds  are  likely  to 
exist  across  multiple  data  centers,  so  as  to 
support  another  tenet  of  cloud  comput¬ 
ing,  removing  any  single  point  of  failure 
in  the  service. 

“This  is  not  something  that  is  done 
very  well  in  the  public  cloud  space  now 
and  it’s  an  opportunity  for  corporate  IT 
operations  that  haven’t  had  sophisticated 
systems  in  place  to  do  these  things,  to 
leapfrog  themselves  in  that  regard  in  the 
new  era  of  private  cloud,”  McKenty  says. 

2  THERE  HAS  TO  BE  FULLY 

■  AUTOMATED  ORCHESTRATION 
OF  BOTH  SYSTEM  MANAGEMENT  AND 
SOFTWARE  DISTRIBUTION  ACROSS  THE 
CONVERGED  INFRASTRUCTURE. 

“That  is  where  the  cost  savings  is.  Auto¬ 
mating  deployment  and  streamlining  the 
human  activity  previously  required  to  do 
daily  tasks.  That  is  what  will  eventually 
drive  private  cloud  sales,”  says  Robert 
Miggins,  senior  vice  president  of  busi¬ 
ness  development  for  Peer  1  Hosting, 
which  has  a  private  cloud  offering  based 
on  VMware. 

You  have  to  improve  the  provision¬ 
ing  process  significantly  to  legitimately 
call  it  private  cloud,  argues  Forrester’s 
Nelson.  “If  it  takes  you  two  weeks  to  pro¬ 
vision  resources  now,  getting  that  down 
to  two  days  is  not  going  to  cut  it.  You’ve 
got  to  get  it  to  15  minutes.  You  can’t  be 
sitting  around  waiting  for  various  levels 
of  approval  to  happen  because  you  lose 
the  agility  and  speed.  It’s  the  difference 
between  virtualization  and  cloud,” 


Nelson  says. 

CiRBA’s  Hillier  agrees  that  automation 
is  crucial  but  advises  potential  customers 
not  to  fixate  on  being  able  to  roll  up  instan¬ 
taneous  instances.  “Going  from  weeks  to 
deployment  to  mere  hours  might  just  be 
good  enough  for  your  environment,”  says 
Hillier,  adding  that  sometimes  just  being 
able  to  reserve  cycles  in  the  private  cloud 
days  in  advance  might  be  a  step  in  the 
right  direction  for  most  companies. 

3  THERE  MUST  BE  A  SELF-SERVICE 
■  CATALOG  OF  STANDARD  COM¬ 
PUTING  OFFERINGS  AVAILABLE  TO  USERS 
ACROSS  THE  COMPANY. 

“The  litmus  test  is  whether  or  not  the 
dashboard  is  available  to  business  users 
across  the  company  and  not  just  an  inter¬ 
face  for  traditional  IT  staff  to  use  to  dole 
out  IT  resources.  Having  just  the  latter, 
means  that  IT  just  has  a  new  toy,”  says 
Piston’s  McKenty. 

Bluelock  CTO  Pat  O’Day,  whose  com¬ 
pany  is  a  provider  of  public  and  private 
cloud  services,  agrees.  “True  cloud  means 
the  users,  and  not  IT,  get  to  control  the  per¬ 
formance  of  their  applications  based  on 
the  resources  they  allocate  to  them.” 

4  THERE  HAS  TO  BE  ACCOUNT- 
■  ABILITY  BY  WAY  OF  SOME  SORT 
OF  CHARGE-BACK,  TRACK-BACK  OR  SHOW- 
BACK  MECHANISM  THAT  KEEPS  TRACK 
OF  WHICH  USERS  ARE  EMPLOYING  WHICH 
RESOURCES  AND  FOR  JUST  HOW  LONG. 
Enterprise  Management  Associates  ana¬ 
lyst  Torsten  Volk  argues  that  at  a  mini¬ 
mum  providing  a  show-back  mechanism 
is  crucial  for  any  fledgling  private  cloud. 
“If  you  can’t  at  least  show  who  is  respon¬ 
sible  for  the  cycles  that  have  been  used, 
then  there  is  no  incentive  to  use  those 
resources  efficiently,”  Volk  says. 

JC  Martin,  cloud  architect  at  eBay, 
which  is  now  running  a  second-genera¬ 
tion  private  cloud  based  on  OpenStack 
technology,  explains  that  eBay’s  home¬ 
grown  chargeback  program  works  more 
like  a  prepaid  plan  where  departments 
pay  up  front  annually  for  their  antici¬ 
pated  IT  service  costs.  He  contends  the 
system  also  helps  cut  down  on  having 
machines  sit  idle  due  to  departments 
holding  onto  virtual  machines  when 
they  are  not  using  them.  “Having  to  view 
reports  that  hold  you  accountable  is  a  big 
incentive  not  to  commandeer  machines 
you  can’t  keep  busy,”  Martin  says.  ■ 
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WE  PUTTHE.IT  in  simplicity 


We  believe  you  can  find  clarity 
amidst  the  chaos  in  3  easy  steps 


Our  on -Staff  data  center  experts 
assess  your  current  infrastructure 
and  help  you  determine  what  you 
want  to  accomplish  with 
Unified  Computing. 


DESIGN 

We  help  you  build  an  integrated  server, 
storage,  and  network  solution  that  meets  your 
virtualization  and  cloud  computing  goals. 


DELIVER 

Our  solution  architects  .implement  your 
futureproof  Unified  Computing  System  with 
Intel'"  Xeon®  processors,  customized  for 
your  unique  business  requirements. 


Connect 
with  Experts 


Call  or’ click  to  get  started 
creating  your  t  It'S  solution  today. 
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Scan  to  listen  to  a  podcast  about  making  the  strategic 
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ilium! 


BY  CHRISTINE  BURNS 


ACCORDING  TO  Piston  Cloud  Computing's  CTO,  the  rate  at  which  his 
customers’  pilot  projects  turn  into  production  private  clouds  is  pretty  typi¬ 
cal  of  most  OpenStack-based  providers  —  and  it’s  pretty  low. 

"Roughly  for  every  20  pilot  projects  we  open  up,  we  see  one  of  them  make 
it  into  production,”  says  Josh  McKenty,  who  prior  to  founding  the  Seattle- 
based  Piston,  worked  at  NASA  and  served  as  a  technical  lead  on  the  project 
that  evolved  into  OpenStack,  one  of  three  open  source  infrastructure  as  a 
service  (IaaS)  platforms  vying  for  enterprise  attention. 

So  why  do  the  other  19  drop  off?  Good  question,  admits  McKenty. 

According  to  analysts,  developers  and  cloud  practitioners,  the  answer 
turns  on  miscommunication  (between  corporate  IT  department  and  their 
potential  “customers”),  dependencies  (on  beloved  features  of  gear  sitting  in 
the  data  center  or  on  the  network)  and  unruliness  (of  applications  not  built 
to  run  on  the  cloud  at  inception). 

In  an  effort  to  increase  the  chances  of  Network  World  readers  landing  a 
successful  private  cloud  deployment,  these  experts  offer  up  some  tips  on 
how  to  avoid  the  typical  pitfalls. 


D1  ID  Ifor 

VOIDING 


PRIVATE  CLOUD 
FAILURES 


GET  OUT  OF  THE  DATA  CENTER  AND 
■  TALK  TO  ALL  BUSINESS  INFLUENCERS. 

This  will  help  IT  execs  get  a  better  idea  of  how 
the  private  cloud  will  eventually  be  used, 
advises  Marten  Mickos,  CEO  of  Eucalyptus, 
an  open  source  private  cloud  provider  with 
close  ties  to  Amazon’s  public  cloud  scheme. 

Mickos  tells  the  story  of  one  large  customer 
doing  business  in  the  tech  industry  that  built 
a  private  cloud  to  support  development  and 
testing  across  the  company.  “Because  they 
didn’t  fully  understand  how  much  their  ‘cus¬ 
tomers’  were  going  to  consume  in  the  private 
cloud,  they  were  experiencing  50%  growth 
per  quarter,”  Mickos  says.  The  IT  team  had 
based  the  size  of  the  private  cloud  on  cur¬ 
rent  testing  levels,  but  the  growth  was  seen 
because  the  users  realized  how  easy  it  was 
to  provision  and  run  tests,  so  they  ended  up 
wanting  to  do  more  testing  than  before. 


SET  USER  EXPECTATIONS. 

I  “Many  folks  read  about  the  cost 
savings  cloud  automation  can  bring,”  says 
Jim  O’Neill,  CIO  of  HubSpot,  and  a  self- 
proclaimed  “lover  of  the  public  cloud  com¬ 
modity  mindset.”  HubSpot  is  a  supplier  of 
cloud-based  marketing  services,  which  plug 
into  Amazon’s  public  cloud  and  Rackspace’s 
managed  private  cloud  infrastructure. 

“So  you  have  to  be  realistic  with  your 
developers  and  business  users  about  paying 
for  good  QoS.  Even  with  all  that  they’ve  read 
about  the  economics  of  the  cloud,  you  have  to 
make  them  fully  understand  that  they  can’t 
expect  five-nines  uptime  on  a  three-nines 
budget,”  O’Neill  says. 

The  economics  of  private  cloud  vary 
based  on  the  type  of  workload  you  want  to 
run  there,  explains  Forrester  analyst  Lauren 
Nelson.  "Basic  compute  is  cheap  in  the  pub¬ 
lic  cloud  if  the  application  is  a  variable  one 
and  it  is  written  to  run  there.  But  if  you’ve  got 
an  application  that  is  very  compute  intensive 
or  requires  non-standard  virtual  machines 
that  require  increased  I/O  or  memory,  it  is 
certainly  more  economical  to  run  that  in  a 
private  cloud  setting,”  Nelson  says. 


3  MOTIVATE  USERS  TO  TAKE  ADVAN- 
■  TAGE  OF  THE  PRIVATE  CLOUD. 

Andrew  Hillier,  CTO  of  CiRBA,  a  supplier 
of  capacity  management  software  for  vir¬ 
tualized  and  cloud  environments  based  in 
Toronto,  advises  IT  departments  to  consider 
motivators  that  might  drive  users  to  take 
advantage  of  a  new  private  cloud  installa¬ 
tion.  "Mandated  use  is  not  out  of  the  ques¬ 
tion,”  Hillier  adds. 

4  DON’T  STAY  WEDDED  TO  OLD  DATA 

■  CENTER  GEAR. 

To  best  understand  what  parts  of  your  data 
center  and  the  underlying  network  might 
throw  a  wrench  in  your  private  cloud,  you 
have  to  be  willing  to  abandon  the  status  quo. 
Inventory  all  the  gear  you  use  and  the  non¬ 
standard  features  you  employ  on  it.  “And  then 
take  some  methadone  to  get  off  those  propri¬ 
etary  features  of  your  favorite  router  or  fire¬ 
wall,”  McKenty  says. 

“Yes  you  might  love  how  a  router  vendor 
handles  a  certain  OpenFlow  feature,  but  you 
might  have  to  give  it  up.  Roll  everything  back 

►  See  TIPS,  page  32 
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OpenStack  VS-  CloudStack  VS>  Eucalyptus 


BY  CHRISTINE  BURNS 

OPENSTACK  —  co-founded  by  Rackspace 
and  NASA  in  2010  —  certainly  has  the  buzz, 
what  with  partnerships  with  AT&T,  HP  and 
IBM,  to  name  a  few,  all  of  which  have  prom¬ 
ised  to  use  OpenStack  as  the  base  for  their 
private  cloud  offerings. 

CloudStack  boasts  $1  billion  worth  of  busi¬ 
ness  transactions  annually  running  across 
their  clouds  since  Citrix  released  the  code 
(Citrix  picked  up  the  technology  in  its  2011, 
$200  million  purchase  of  Cloud.com)  into  the 
Apache  open  source  realm  in  April  2012. 

And  Eucalyptus  —  the  longest-standing 
open  source  project  of  the  three  —  is  bank¬ 
ing  on  its  very  tight  technical  ties  to  Amazon 
Web  Services  (AWS)  to  convince  enterprises 
to  go  the  hybrid  route,  running  their  private 
clouds  on  the  Eucalyptus  stack  and  seam¬ 
lessly  bursting  into  the  Amazon  public  cloud 
when  necessary. 

Those  are  the  strategic  battle  cries  as  the 


factions  spar  for  positioning  as  the  open 
source  infrastructure  as  a  service  (IaaS)  stack 
most  tapped  into  for  building  enterprise  pri¬ 
vate  clouds. 

According  to  a  study  on  data  center  expan¬ 
sion  plans  by  Campos  Research  &  Analysis 
and  paid  for  by  data  center  solution  provider 
Digital  Realty  Trust,  3  in  5  respondents  — 
300  IT  decision-makers  at  large  corporations 
in  North  America  were  interviewed  for  the 
study  —  said  that  building  a  private  cloud  was 
a  primary  impetus  for  their  future  data  center 
build-out  plans. 

According  to  a  new  forecast  report  by  IDC, 
worldwide  spending  on  hosted  private  cloud 
(HPC)  will  grow  to  be  more  than  $24  billion 
by  2016. 

While  most  independent  sources  inter¬ 
viewed  for  this  story  contend  that  OpenStack 
is  a  likely  front-runner,  they  all  refused  to  pick 
an  ultimate  winner,  given  that  both  the  defini¬ 
tion  of  private  cloud  and  statistics  about  the 
rate  at  which  enterprises  are  deploying  and 


taking  advantage  of  private  clouds  have  been 
slippery  little  devils  to  pin  down. 

“What  I  can  say,  though,  is  that  having 
three  open  source  cloud  stack  options  jock¬ 
eying  for  position  as  the  best  one  out  there 
does  bode  well  for  one  of  them  getting  to 
widespread  adoption  in  the  enterprise  in  the 
future,”  says  Aneel  Lakhani,  research  direc¬ 
tor  for  virtualization  and  cloud  at  Gartner. 

Open  source  cloud  platforms  are  attractive 
for  the  same  reasons  Linux  took  hold:  low- 
cost  point  of  entry  and  the  prospect  of  appli¬ 
cation  portability. 

Deep  dive  into  the  differences 

There  are  certainly  technical  differences 
between  the  three  open  source  stacks.  Inde¬ 
pendent  cloud  application  development  con¬ 
sultant  Daniel  Kranowski  of  Business  Algo¬ 
rithm,  in  a  talk  at  the  JavaOne  conference  in 
late  last  year,  gave  a  thorough  comparison  of 
the  stacks  based  on  their  architecture,  instal¬ 
lation,  administrative  capabilities,  security 
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and  high  availability. 

Kranowski  described  CloudStack  as  hav¬ 
ing  a  monolithic  architecture,  installation 
processes  that  required  a  medium  level  of  time 
and  expertise,  a  strong  GUI  and  an  Amazon 
EC2-like  command-line  interface  (CLI),  offer¬ 
ing  baseline  security  ties  and  offering  some 
load  balancing  capabilities. 

Kranowski  said  that  Eucalyptus’  archi¬ 
tecture  comprises  five  parts,  similar  to  AWS, 
that  its  level  of  install  difficulty  is  medium, 
and  that  it  has  a  limited  administrative  GUI 
that  needs  quite  a  bit  of  help  from  a  command 
line  counterpart.  Also,  Eucalyptus  has  a  key 
management  model  of  security  in  which  the 
five  architectural  components  need  to  register 
with  each  other. 

He  described  OpenStack  as  having  a  frag¬ 
mented,  distributed  architecture,  rated  it  as 
difficult  to  install,  and  said  it  gets  driven  by 
multiple  CLIs,  has  a  strong,  token-based  secu¬ 
rity  system  and  uses  Swift  —  the  OpenStack 
massively  scalable  redundant  storage  system 
—  as  the  linchpin  of  its  high  availability  story. 

But  these  technical  differences  are  not  get¬ 
ting  as  much  attention  as  the  momentum 
markers  each  camp  pushes  to  prove  why  it 
is  better  suited  for  enterprise  private  cloud 
business. 

For  example,  the  OpenStack  camp  boasts 
that  at  its  semiannual  OpenStack  Summit 
in  mid-April,  there  were  3,000  conference 
attendees,  500  code  contributors  and  8,500 
downloads  of  its  most  recent  code  release  in 
just  three  weeks. 

OpenStack  competitors  are  quick  to  point 
out  that  of  all  three  stacks,  OpenStack  is  the 
most  difficult  to  piece  together.  “OpenStack  is 
really  a  technology,  not  a  product,”  says  Peder 
Ulander,  vice  president  of  product  marketing 
for  cloud  platforms  at  Citrix. 

J C  Martin  is  a  cloud  architect  at  eBay,  which 
currently  runs  50%  of  the  site’s  business  on 
a  private  cloud.  Martin  explains  the  current 
OpenStack-based  cloud  is  his  company’s 
second  generation,  its  first  one  was  built  on 
a  home-grown  platform.  He  adds  that  his 
team  wanted  to  move  to  open  source  last 
year  and  after  an  extensive  evaluation  of  the 
options,  selected  OpenStack  and  deployed  it 
themselves. 

“You  do  need  a  talented  group  of  developers 
that  have  experience  in  day-to-day  systems 
administration  and  know  how  to  write  ser¬ 
vice  automation  software  and  then  write  code 
that  exposes  those  services  to  both  IT  staff  and 
business  end  users,”  Martin  says. 

Lauren  Nelson,  Forrester’s  private  IaaS 
cloud  lead,  agrees  with  Ulander  and  contends 
that  enterprises  will  most  readily  consume 
OpenStack  via  a  provider,  as  opposed  to 


downloading  a  distribution  themselves  and 
standing  up  their  own  private  cloud  internally. 

“I  know  of  very  few  companies  that  will 
want  to  pull  their  top  development  talent  off 
a  revenue-generating  project  to  build  an  IaaS 
internally,”  Nelson  says. 

But  there  are  literally  dozens  of  compa¬ 
nies  that  either  have  built  or  have  announced 
plans  for  OpenStack-based  IaaS  products, 
and  each  has  to  demonstrate  a  strategic 
advantage  for  its  customers. 

Portability  concerns 

Some  analysts  question  whether  those  strate¬ 
gic  features  will  over  time  become  propriety 
features  that  would  curtail  the  whole  point 
of  having  an  open  source-based  stack:  being 
able  to  avoid  vendor  lock-in  because  writing  a 
cloud  application  to  an  open  standard  is  sup¬ 
posed  to  provide  some  portability  options. 

“The  race  is  basically  over  unless  the  ven¬ 
dors  who  are  building  their  private  cloud 
offerings  on  OpenStack  decide  to  get  greedy 
and  built  proprietary  features  that  could  give 
them  an  appealing  edge  in  that  market,  but 
could  also  lead  to  some  levels  of  OpenStack 
interoperability  issues  down  the  road,”  says 
Enterprise  Management  Associates  analyst 
Torsten  Volk. 

Gartner’s  Lakhani  says  portability  is  a  dis¬ 
tant  prospect  for  most  enterprises  looking 
to  build  a  private  cloud  today.  He  argues  it  is 
going  to  be  at  least  12  to  18  months  before  pri¬ 
vate  cloud  users  are  going  to  really  demand 
that  they  be  able  to  run  applications  across 
OpenStack  platforms. 

Volk  did  point  to  the  OpenStack  Founda¬ 
tion’s  efforts  to  ramp  up  platform  certifica¬ 
tion  efforts  to  help  preclude  any  issues  that 
might  lead  to  users  getting  locked  into  one 


OpenStack  platform  or  another  due  to  appli¬ 
cation  dependencies. 

Industry  watchers  say  Eucalyptus’  strength 
and  its  weakness  are  its  ties  to  Amazon.  The 
company  —  which  brags  of  tens  of  thousands 
of  downloads  of  its  Amazon-compatible  cloud 
software  and  $55.5  million  in  venture  capital 
money  (including  $30  million  picked  up  last 
year)  —  says  it  offers  API  parity  with  90%  of 
the  popular  services  offered  by  AWS,  includ¬ 
ing  EC2,  S3,  EBS,  IAM,  Auto  Scaling  ELB  and 
CloudWatch.  So  an  application  running  on  a 
Eucalyptus  private  cloud  using  its  AWS-com- 
patible  services  could  burst  out  into  the  Ama¬ 
zon  cloud  using  those  same  services. 

“When  a  customer  puts  in  one  of  our 
clouds,  they  become  an  instant  member  of  the 
Amazon  ecosystem,”  says  Eucalyptus  CEO 
Marten  Mickos. 

Forrester’s  Nelson  lauds  Eucalyptus  for 
having  a  very  complete  technology  offering 
that  is  much  more  readily  consumable  when 
compared  to  OpenStack.  That  does  translate 
to  a  strong  hybrid  cloud  proposition,  which 
many  enterprises  are  considering. 

“But  on  the  other  hand  you’ve  got  Ama¬ 
zon  continuously  downplaying  the  need  for 
private  cloud,  so  that  might  not  bode  well  for 
Eucalyptus’  plans,”  Nelson  says. 

The  Apache  CloudStack  offering  also  has 
strong  ties  to  Amazon  public  clouds  in  that  it 
offers  an  API  translator  so  that  applications 
written  for  CloudStack  can  also  run  in  AWS. 

And  Citrix’s  Ulander  argues  that  its  success 
with  larger  deployments  —  which  admittedly 
tend  to  be  mostly  service  provider  instal¬ 
lations  —  “shows  that  our  stack  has  gone 
beyond  the  typical  greenfield  and  dev/test 
deployments  and  into  supporting  revenue¬ 
generating  applications.”  ■ 


►  TIPS ,  from  page  28 

so  that  you  are  adhering  to  open  standards  and  not  married  to  any  propri¬ 
etary  features,”  McKenty  says. 

MAKE  SURE  EXISTING  APPS  ARE  MOVED  INTO  THE  PRIVATE  CLOUD 

I  According  to  Enterprise  Management  Associates  analyst  Torsten  Volk,  “A  big 
reason  that  private  cloud  projects  fail  in  the  enterprise  is  that  they  were  used  only  for  green¬ 
field  projects.” 

There  must  be  a  significant  plan  in  place  to  onboard  existing  business  application  to 
justify  the  startup  cost  for  a  public  cloud.  That  requires  revamping  applications  so  that 
they  are  aware  that  the  underlying  commodity  infrastructure  could  fail  at  any  moment 
and  know  how  to  be  resilient  enough  to  locate  another  virtual  machine  to  run  on,  explains 
Eucalyptus’  Mickos. 

McKenty  advises  that  IT  departments  looking  to  employ  private  clouds  should  not  fear 
these  potential  cloud  infrastructure  failures,  but  rather  embrace  them.  “Plan  to  pull  the 
plug  on  a  few  servers  every  once  in  a  while  and  see  what  happens,”  McKenty  says.  ■ 
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10  things  from  my  20  years  with  NW 


AS  i  write  this  column  I’m  six  days  past 
my  20  th  anniversary  of  writing  for  Network 
World,  so  I  thought  I’d  write  about  what’s 
changed  over  that  time.  There  are  10  things  that  stand  out. 

10.  The  demise  of  Novell,  Banyan,  3Com,  DEC,  Compaq,  Palm,  Nor¬ 
tel ...  it's  a  long  list.  While  some  of  those  companies  simply  died  or  were 
swallowed  up  by  bigger  fish,  others  have  and  continue  to  just  slowly 
wither  (I’m  looking  at  you,  Novell).  What’s  interesting  is  how  much 
dumb  luck  plays  a  major  role  in  determining  success. 

9.  The  rise  of  the  Internet,  which  changed  the  world.  The  sad  thing 
is  that  the  U.S.,  the  country  that  created  the  Internet,  still  doesn’t  com¬ 
pletely  understand  the  Internet’s  importance,  which  is  why  we’re 
ranked  ninth  or  16th  —  depending  on  how  you  measure  these  things 
—  worldwide  in  terms  of  broadband  availability,  price  and  speed. 

8.  The  rise  of  e-commerce.  E-commerce,  the  selling  and  buying  of 
goods  and  services  online,  has  changed  how  we  do  business.  When 
I  wrote  “Navigating  the  Internet”  back  in  1993,  the  idea  that  the  Inter¬ 
net  would  become  a  commerce  platform  was  unthinkable.  Now  we’re 
arguing  about  how  to  collect  taxes  on  online  purchases. 

7.  The  re-rise  of  Apple.  Perhaps  one  of  the  more  surprising  stories  in 
the  last  20  years  has  been  the  phoenix-like  success  of  Apple.  The  big 
question  is  whether  Apple  can  still  be  Apple  without  Jobs. 

6.  The  consumerization  of  IT.  A  few  years  ago  the  consumer  IT 
equipment  market  started  eating  away  at  the  fringes  of  the  enterprise 
where  it  was  easier  and  cheaper  for  branch  offices  and  telecommut¬ 
ers  to  deploy  low-end  routers  and  NAS  devices  purchased  at  Fry’s 
than  go  through  the  cost  and  complexity  of  using  Big  Boy  IT  gear. 


This  accelerated  as  corporate  users  began  bringing  their  own  laptops 
and  cellphones  into  the  enterprise.  Is  this  creating  a  huge  manage¬ 
ment  mess  for  IT,  or  is  it  a  huge  cost  savings?  Whichever  it  is,  it’s  not 
going  away. 

5.  The  end  of  privacy  and  security.  Along  with  all  the  good  stuff  that 
the  Internet  has  made  possible  there’s  the  bad  stuff.  The  ’Net,  the  oper¬ 
ating  systems  we  use,  and  the  services  we  rely  upon  all  ensure  you’re 
trackable  and  hackable.  It’s  a  matter  of  when,  not  if. 

4.  The  rise  of  Linux  and  open  source.  Who  could  have  predicted  20 
years  ago  that  Linux  and  the  open  source  movement  would  become 
such  powerful  market  forces? 

3.  The  rise  of  social  media.  Facebook  and  Twitter  and  the  rest.  Need 
I  say  more?  Whether  social  media  as  we  know  it  today  will  survive  the 
next  20  years  is  debatable. 

2.  The  rise  of  Google.  Google,  one  of  the  few  companies  to  ever 
become  a  verb,  was  founded  in  1998  and  its  growth  and  the  sheer  exu¬ 
berance  of  its  research  and  development  has  been  truly  astounding. 

1.  The  death  of  the  PC.  Who  knew  that  the  PC  would  so  quickly 
wane  in  importance  to  become  just  one  of  the  end  user  computing 
platforms?  According  to  IDC,  2013  will  see  PC  shipments  drop  by 
almost  8%! 

It’s  been  a  fascinating  20  years  writing  for  Network  World  so  far.  It’s 
been  exciting  and,  at  times,  exhausting ...  I  just  hope  there’s  another  20 
years  of  writing  left  in  me.  SI 

Gibbs  was  looking  backwards  from  Ventura,  Calif.  Your  view  to 
gearhead@gibbs.com. 
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Microsoft’s  opening  act  since  Windows  95 


THE  RADIO  ad  caught  my  attention:  Micro¬ 
soft  is  opening  one  of  its  new  retail  stores  in 
the  nearby  Natick  Mall  on  June  8  and  the 
ceremonies  will  be  followed  by  a  free  concert  that  evening  by . ..  Weezer? 

I  shouldn’t  have  been  surprised,  because  it  turns  out  that  Weezer  has 
been  Microsoft’s  house  band  of  sorts  for  going  on  two  decades.  Mall 
store  openings  appear  to  be  a  somewhat  steady  gig;  for  example,  there 
was  one  last  Sept.  29  in  Newark,  Del.,  and  shows  are  also  planned  at  store 
debuts  in  Portland,  Ore.,  on  June  21  and  Schaumburg,  Ill.,  on  June  22. 

But  a  look  at  the  band’s  Wikipedia  page  showed  me  something  about 
the  Microsoft/Weezer  relationship  that  was  genuinely  surprising:  It 
dates  back  to  Windows  95,  the  installation  CD  for  which  includes  Wee- 
zer’s  most  famous  music  video,  “Buddy  Holly.”  You’ll  remember  that 
video  as  the  one  where  the  band  plays  at  Arnold’s  Drive-in  Diner  from 
the  TV  show  “Happy  Days,”  which  ended  its  decade-long  run  in  1984. 

The  “Buddy  Holly”  video  is  all  over  YouTube,  naturally,  but  there’s 
also  a  clip  of  that  installation  CD. 

Of  course,  that  song  was  by  no  means  the  most  famous  one  associ¬ 
ated  with  Windows  95:  That  distinction  would  belong  to  the  Rolling 
Stones’  “Start  Me  Up,”  which  headlined  the  advertising  campaign. 

Now  if  Microsoft  could  only  get  the  Rolling  Stones  to  play  a  store 
opening ... 

Here’s  a  great  definition  of  a  startup 

It’s  an  age-old  question;  two  actually:  What’s  the  definition  of  a  startup? 
And  when  does  a  startup  cease  being  a  startup?  We’ve  kicked  it  around 
here  from  time  to  time  and  last  week  they  were  giving  it  some  thought 


at  Quora,  where  the  best  answer  offered  was  this  one  from  Dave 
McClure: 

“A  ‘startup’  is  a  company  that  is  confused  about  - 
“What  its  product  is. 

“Who  its  customers  are. 

“How  to  make  money. 

“As  soon  as  it  figures  out  all  3  things,  it  ceases  to  be  a  startup  and  then 
becomes  a  real  business. 

“Except  most  times,  that  doesn’t  happen.” 

That  about  says  it  all. 

An  iPad  hits  the  floor 

The  other  night,  while  I  was  doing  some  work  at  the  kitchen  table,  the 
living  room  produced  a  crashing  sound  followed  by  a  child’s  panicked 
shriek.  My  first  thought  was  that  the  TV  remote  had  once  again  hit  our 
fake  hardwood  floor ...  but  instead  it  was  my  iPad. 

The  next  shriek  was  my  own. 

At  first  glance  it  was  obvious  that  the  iPad  was  in  pieces;  however,  it 
quickly  became  clear  that  those  pieces  were  actually  the  iPad  cover  and 
the  iPad  itself,  no  longer  joined.  Bottom  line:  no  damage,  not  a  scratch. 

And  there  may  even  have  been  an  upside.  This  incident  occurred 
not  an  hour  after  I  had  lectured  the  child  in  question  about  the  need  to 
carry  and  handle  the  iPad  with  two  hands  as  often  as  possible  so  as  to 
avoid  dropping  it ...  the  lecture  obviously  went  unheeded. 

Not  so  the  shrieks.  ■ 

Weezer  concert  tales  can  be  directed  to  buzz@nww.com. 
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HughesON  is  here.  Turn  your  network  into  the  high-performance 
engine  you  need  to  power  your  business. 


This  is  not  networking  as  usual.  HughesON™  is  a  new 
and  comprehensive  set  of  managed  solutions  that  dramatically 
improves  network  performance  across  all  your  locations. 
Employing  cutting-edge  technologies  available  only  from 
Hughes,  it  helps  deliver  even  your  most  bandwidth-hungry 
applications — faster,  smarter,  more  reliably  and  with  greater 
impact.  So  you  can  delight  your  customers,  motivate  your 
employees  and  streamline  your  operations — and  save 
money  doing  it. 

Power  your  business  with  HughesON.  Learn  more  at 

HughesON.com/optimize. 
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©  2013  Hughes  Network  Systems,  LLC,  an  EchoStar  company.  All  rights  reserved.  HUGHES  is  a  registered  trademark  of  Hughes  Network  Systems,  LLC. 
HughesON  is  a  trademark  of  Hughes  Network  Systems,  LLC.  EchoStar  is  a  registered  trademark  of  EchoStar  Corporation. 


The  power  of  25.  Packed  in  the  space  of  one. 

The  powerful  and  affordable  IBM  System  x3650  M4  Express  server. 

To  meet  today’s  growing  demands,  businesses  need  a  highly  capable  server  even  when 
budgets  are  tight.  The  powerful  IBM®  System  x3650  M4  Express®  server,  with  the  latest  Intel® 
Xeon®  processor,  offers  great  value  at  an  affordable  price.  Designed  to  deliver  84%  greater 
performance1  and  handle  as  many  workloads  as  25  prior-generation  IBM  System  x3650 
systems?  x3650  M4  can  help  improve  productivity  and  resource  utilization.  This,  coupled 
with  the  expertise  of  IBM  Business  Partners,  can  help  you  configure  customizable, 
affordable  solutions  to  suit  your  unique  business  needs. 


A  powerful  server  at  an  affordable  price. 
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IBM  System  x3650  M4  Express 

$2,199 


IBM  Storwize®  V3700 
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OR  $57/MONTH  FOR  36  MONTHS3 
PN:  7915-EBU 

Low  TCP  with  exceptional  performance  per  watt _ 

Pay-as-you-grow  flexible  design  to  lower  cost  and  manage  risk 
Excellent  reliability  and  uptime  for  business-critical  applications  and  cloud 


IBM  System  x3550  M4  Express 


$8,799 

OR  $217/MONTH  FOR  36  MONTHS3 
PN:  2072-S2C 

2U  form  factor  capable  of  24  x  2.5“  drives  (up  to  120  drives  with  expansion  units) 
Virtualization  of  internal  storage  and  thin  provisioning  for  improved  storage  utilization 
Intuitive  user  interface  based  on  the  breakthrough  Storwize  family  user  interface 


$1,679 


OR  $46/MONTH  FOR  36  MONTHS3 


PN:  7914-EAU 

Performance,  flexibility,  cost  and  density  -  perfectly  balanced 
Excellent  reliability  and  uptime  for  business  applications  and  cloud 
Easy  to  deploy,  integrate,  service  and  manage 

Contact  the  IBM  Concierge  to  help  you 
connect  to  the  right  IBM  Business  Partner. 
1 866-872-3902  (mention  102PF10A) 


Read  the  TBR  report 
and  learn  about  IBM’s  No.  1  ranking 
for  performance,  scalability  and 
overall  customer  satisfaction. 

Visit  ibm.com/systems/moreforless 

Or  scan  the  QR  code  with  your  smartphone 
to  learn  more  about  the  x3650  M4  Express. 
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